Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

A High-Recall Membership Inference Attack Based on Confidence-Thresholding Method with Relaxed Assumption

  • Conference paper
  • First Online:
Machine Learning for Cyber Security (ML4CS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12487))

Included in the following conference series:

  • 1363 Accesses

Abstract

Membership inference attack (MIA) aims to infer whether a given data sample is in the target training dataset or not, which poses a severe privacy risk in particular data-sensitive fields like the military, national security department, as well as enterprise. Observing that a model generated from adversarial training is more vulnerable against MIA, a novel attack method based on confidence-thresholding was proposed by Song et al. recently. However, it is not a straightforward work to deploy such an attack into real-world application scenarios, since shadow training and redundant assumptions are prerequisites. To address the above issues, in this paper, we propose an improved confidence-thresholding method with relaxed assumption, evaluating the prediction accuracy as the threshold. Our attack can be released without using shadow training and an additional dataset. Instead of collecting an additional dataset, attackers use their target data records, which are needed to be inferred about membership, to achieve MIA. As a result, our proposed attack against robust model has an overwhelming advantage on model recall with fewer accuracy and precision loss. Extensive experiments are conducted on real-world data, i.e., Yale Face, and the results show that our proposed MIA attack is effective and feasible.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: International Conference on Machine Learning (ICML), pp. 1467–1474 (2012)

    Google Scholar 

  2. Chen, X., Li, J., Ma, J., Tang, Q., Lou, W.: New algorithms for secure outsourcing of modular exponentiations. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 541–556. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_31

    Chapter  Google Scholar 

  3. Chen, X., Huang, X., Li, J., Ma, J., Lou, W., Wong, D.S.: New algorithms for secure outsourcing of large-scale systems of linear equations. IEEE Trans. Inf. Forensics Secur. 10(1), 69–78 (2015)

    Article  Google Scholar 

  4. Ciolacu, M., Tehrani, A. F., Beer, R., Popp, H.: Education 4.0–fostering student’s performance with machine learning methods. In: Proceedings of the 2017 IEEE 23rd International Symposium for Design and Technology in Electronic Packaging (SIITME), pp. 438–443 (2017)

    Google Scholar 

  5. Elsayed, G., et al.: Adversarial examples that fool both computer vision and time-limited humans. In: Proceedings of the Advances in Neural Information Processing Systems, pp. 3910–3920 (2018)

    Google Scholar 

  6. Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1322–1333 (2015)

    Google Scholar 

  7. Goodfellow, I. J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Machine Learning (2015)

    Google Scholar 

  8. Guo, H., Tang, R., Ye, Y., Li, Z., He, X.: DeepFM: a factorization-machine based neural network for CTR prediction. In: Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence (IJCAI), pp. 1725–1731 (2017)

    Google Scholar 

  9. Isele, D., Cosgun, A., Subramanian, K., Fujimura, K.: Navigating intersections with autonomous vehicles using deep reinforcement learning. In: 2018 IEEE International Conference on Robotics and Automation (ICRA), pp. 2034–2039 (2017)

    Google Scholar 

  10. Leino, K., Fredrikson, M.: Stolen memories: leveraging model memorization for calibrated white-box membership inference. arXiv preprint arXiv:1906.11798 (2019)

  11. Long, Y., Bindschaedler, V., Gunter, C.A.: Towards measuring membership privacy. arXiv preprint arXiv:1712.09136 (2017)

  12. Long, Y., et al.: Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889 (2018)

  13. Mao, Y., Zhu, X., Zheng, W., Yuan, D., Ma, J.: A novel user membership leakage attack in collaborative deep learning. In: Proceedings of the 2019 11th International Conference on Wireless Communications and Signal Processing (WCSP), pp. 1–6 (2019)

    Google Scholar 

  14. Melis, L., Song, C., De Cristofaro, E., Shmatikov, V.: Exploiting unintended feature leakage in collaborative learning. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), pp. 691–706 (2019)

    Google Scholar 

  15. Nasr, M., Shokri, R., Houmansadr, A.: Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), pp. 739–753 (2019)

    Google Scholar 

  16. Rahman, M.A., Rahman, T., Laganiére, R., Mohammed, N., Wang, Y.: Membership inference attack against differentially private deep learning model. Trans. Data Priv. 11(1), 61–79 (2018)

    Google Scholar 

  17. Raví, D., et al.: Deep learning for health informatics. IEEE J. Biomed. Health Inform. 21(1), 4–21 (2016)

    Article  Google Scholar 

  18. Salem, A., Zhang, Y., Humbert, M., Berrang, P., Fritz, M., Backes, M.: ML-Leaks: model and data independent membership inference attacks and defenses on machine learning models. In: 26th Annual Network and Distributed System Security Symposium (2019)

    Google Scholar 

  19. Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18 (2017)

    Google Scholar 

  20. Song, L., Shokri, R., Mittal, P.: Privacy risks of securing machine learning models against adversarial examples. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 241–257 (2019)

    Google Scholar 

  21. Song, C., Ristenpart, T., Shmatikov, V.: Machine learning models that remember too much. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 587–601 (2017)

    Google Scholar 

  22. Shan, Y., Hoens, T.R., Jiao, J., Wang, H., Yu, D., Mao, J.C.: Deep crossing: web-scale modeling without manually crafted combinatorial features. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 255–262 (2016)

    Google Scholar 

  23. Shafahi, A., et al.: Poison frogs! targeted clean-label poisoning attacks on neural networks. In: Proceedings of the Advances in Neural Information Processing Systems, pp. 6103–6113 (2018)

    Google Scholar 

  24. Wang, Z., Song, M., Zhang, Z., Song, Y., Wang, Q., Qi, H.: Beyond inferring class representatives: user-level privacy leakage from federated learning. In: Proceedings of the IEEE INFOCOM 2019-IEEE Conference on Computer Communications, pp. 2512–2520 (2019)

    Google Scholar 

  25. Yang, C., Wu, Q., Li, H., Chen, Y.: Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340 (2017)

  26. Yeom, S., Giacomelli, I., Fredrikson, M., Jha, S.: Privacy risk in machine learning: analyzing the connection to overfitting. In: Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 268–282 (2018)

    Google Scholar 

  27. Yuan, X., He, P., Zhu, Q., Li, X.: Adversarial examples: attacks and defenses for deep learning. IEEE Trans. Neural Netw. Learn. Syst. 30(9), 2805–2824 (2019)

    Article  MathSciNet  Google Scholar 

  28. Zhang, W., Du, T., Wang, J.: Deep learning over multi-field categorical data. In: Ferro, N., et al. (eds.) ECIR 2016. LNCS, vol. 9626, pp. 45–57. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30671-1_4

    Chapter  Google Scholar 

  29. Zhang, X., Chen, X., Liu, J., Xiang, Y.: DeepPAR and DeepDPA: privacy-preserving and asynchronous deep learning for industrial IoT. IEEE Trans. Ind. Inf. 16(3), 2081–2090 (2019)

    Article  Google Scholar 

  30. Zhang, X., Jiang, T., Li, K.C., Castiglione, A., Chen, X.: New publicly verifiable computation for batch matrix multiplication. Inf. Sci. 479, 664–678 (2019)

    Article  Google Scholar 

Download references

Acknowledgment

The authors would like to acknowledge the support of the National Natural Science Foundation of China (No. 61902315).

Author information

Authors and Affiliations

  1. State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi’an, China

    Lulu Wang, Xiaoyu Zhang & Yi Xie

  2. School of Software, Qufu Normal University, Qufu, China

    Xu Ma

  3. School of Cyberspace Security, Xi’an University of Posts and Telecommunications, Xi’an, China

    Meixia Miao

Authors
  1. Lulu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoyu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yi Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xu Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Meixia Miao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiaoyu Zhang .

Editor information

Editors and Affiliations

  1. Xidian University, Xi'an, China

    Xiaofeng Chen

  2. Guangzhou University, Guangzhou, China

    Hongyang Yan

  3. Michigan State University, East Lansing, MI, USA

    Qiben Yan

  4. Division of Computer, Electrical and Mathematical Sciences and Engineering, King Abdullah University of Science, Thuwal, Saudi Arabia

    Xiangliang Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, L., Zhang, X., Xie, Y., Ma, X., Miao, M. (2020). A High-Recall Membership Inference Attack Based on Confidence-Thresholding Method with Relaxed Assumption. In: Chen, X., Yan, H., Yan, Q., Zhang, X. (eds) Machine Learning for Cyber Security. ML4CS 2020. Lecture Notes in Computer Science(), vol 12487. Springer, Cham. https://doi.org/10.1007/978-3-030-62460-6_47

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62460-6_47

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62459-0

  • Online ISBN: 978-3-030-62460-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation