Defending against Model Inversion Attacks via Random Erasing

• URL: http://arxiv.org/abs/2409.01062v1
• Date: Mon, 2 Sep 2024 08:37:17 GMT
• Title: Defending against Model Inversion Attacks via Random Erasing
• Authors: Viet-Hung Tran, Ngoc-Bao Nguyen, Son T. Mai, Hans Vandierendonck, Ngai-man Cheung,
• Abstract summary: We present a new method to defend against Model Inversion (MI) attacks. Our idea is based on a novel insight on Random Erasing (RE) We show that RE can lead to substantial degradation in MI reconstruction quality and attack accuracy.
• Score: 24.04876860999608
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Model Inversion (MI) is a type of privacy violation that focuses on reconstructing private training data through abusive exploitation of machine learning models. To defend against MI attacks, state-of-the-art (SOTA) MI defense methods rely on regularizations that conflict with the training loss, creating explicit tension between privacy protection and model utility. In this paper, we present a new method to defend against MI attacks. Our method takes a new perspective and focuses on training data. Our idea is based on a novel insight on Random Erasing (RE), which has been applied in the past as a data augmentation technique to improve the model accuracy under occlusion. In our work, we instead focus on applying RE for degrading MI attack accuracy. Our key insight is that MI attacks require significant amount of private training data information encoded inside the model in order to reconstruct high-dimensional private images. Therefore, we propose to apply RE to reduce private information presented to the model during training. We show that this can lead to substantial degradation in MI reconstruction quality and attack accuracy. Meanwhile, natural accuracy of the model is only moderately affected. Our method is very simple to implement and complementary to existing defense methods. Our extensive experiments of 23 setups demonstrate that our method can achieve SOTA performance in balancing privacy and utility of the models. The results consistently demonstrate the superiority of our method over existing defenses across different MI attacks, network architectures, and attack configurations.

Related papers

• Model Inversion Robustness: Can Transfer Learning Help? [27.883074562565877]
  Model Inversion (MI) attacks aim to reconstruct private training data by abusing access to machine learning models. We propose Transfer Learning-based Defense against Model Inversion (TL-DMI) to render MI-robust models. Our method achieves state-of-the-art (SOTA) MI robustness without bells and whistles.
  arXiv  Detail & Related papers  (2024-05-09T07:24:28Z)
• MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training [20.303439793769854]
  Member Inference (MI) attacks are a major privacy concern when using private data to train machine learning (ML) models. We introduce a novel Membership-Invariant Subspace Training (MIST) method to defend against MI attacks.
  arXiv  Detail & Related papers  (2023-11-02T01:25:49Z)
• Isolation and Induction: Training Robust Deep Neural Networks against Model Stealing Attacks [51.51023951695014]
  Existing model stealing defenses add deceptive perturbations to the victim's posterior probabilities to mislead the attackers. This paper proposes Isolation and Induction (InI), a novel and effective training framework for model stealing defenses. In contrast to adding perturbations over model predictions that harm the benign accuracy, we train models to produce uninformative outputs against stealing queries.
  arXiv  Detail & Related papers  (2023-08-02T05:54:01Z)
• Avoid Adversarial Adaption in Federated Learning by Multi-Metric Investigations [55.2480439325792]
  Federated Learning (FL) facilitates decentralized machine learning model training, preserving data privacy, lowering communication costs, and boosting model performance through diversified data sources. FL faces vulnerabilities such as poisoning attacks, undermining model integrity with both untargeted performance degradation and targeted backdoor attacks. We define a new notion of strong adaptive adversaries, capable of adapting to multiple objectives simultaneously. MESAS is the first defense robust against strong adaptive adversaries, effective in real-world data scenarios, with an average overhead of just 24.37 seconds.
  arXiv  Detail & Related papers  (2023-06-06T11:44:42Z)
• Re-thinking Model Inversion Attacks Against Deep Neural Networks [34.87141698143304]
  Model inversion (MI) attacks aim to infer and reconstruct private training data by abusing access to a model. Recent algorithms for MI have been proposed to improve the attack performance. We study two fundamental issues pertaining to all state-of-the-art (SOTA) MI algorithms.
  arXiv  Detail & Related papers  (2023-04-04T09:58:07Z)
• CANIFE: Crafting Canaries for Empirical Privacy Measurement in Federated Learning [77.27443885999404]
  Federated Learning (FL) is a setting for training machine learning models in distributed environments. We propose a novel method, CANIFE, that uses carefully crafted samples by a strong adversary to evaluate the empirical privacy of a training round.
  arXiv  Detail & Related papers  (2022-10-06T13:30:16Z)
• RelaxLoss: Defending Membership Inference Attacks without Losing Utility [68.48117818874155]
  We propose a novel training framework based on a relaxed loss with a more achievable learning target. RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead. Our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs.
  arXiv  Detail & Related papers  (2022-07-12T19:34:47Z)
• Knowledge-Enriched Distributional Model Inversion Attacks [49.43828150561947]
  Model inversion (MI) attacks are aimed at reconstructing training data from model parameters. We present a novel inversion-specific GAN that can better distill knowledge useful for performing attacks on private models from public data. Our experiments show that the combination of these techniques can significantly boost the success rate of the state-of-the-art MI attacks by 150%.
  arXiv  Detail & Related papers  (2020-10-08T16:20:48Z)
• Improving Robustness to Model Inversion Attacks via Mutual Information Regularization [12.079281416410227]
  This paper studies defense mechanisms against model inversion (MI) attacks. MI is a type of privacy attacks aimed at inferring information about the training data distribution given the access to a target machine learning model. We propose the Mutual Information Regularization based Defense (MID) against MI attacks.
  arXiv  Detail & Related papers  (2020-09-11T06:02:44Z)
• How Does Data Augmentation Affect Privacy in Machine Learning? [94.52721115660626]
  We propose new MI attacks to utilize the information of augmented data. We establish the optimal membership inference when the model is trained with augmented data.
  arXiv  Detail & Related papers  (2020-07-21T02:21:10Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.