MemGuard: Defending against Blac

2020-04-24  本文已影响0人  已迁移到CSDN

[CCS'19] MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples

Keywords: Membership Inference Attack, Adversarial Example
Takeaways: This paper proposed a fancy idea of defending MIA attacks by leveraging AE attack to ATTACK attackers. The defense outperforms counterparts by strictly bounding the utility-loss of confidence score vector, thus achieving optimal trade-off between utility and privacy.


Background

1. Membership Inference Attacks

Membership Inference Attacks

In a nutshell, an attacker trains a binary classifier, which takes a data sample’s confidence score vector predicted by the target classifier as an input and predicts
whether the data sample is a member or non-member of the target classifier’s training dataset

MIA leads to:

  1. severe privacy violations (For some sensitive areas using big data such as health-care )
  2. damages the model provider’s intellectual property (By stealing well-processed training data)

A major reason why membership inference attacks succeed is that the target classifier is overfitted:
As a result, the confidence score vectors predicted by the target classifier are distinguishable for members and non-members of the training dataset.

2. Existing defense against MIA:

Refer to the paper for details


Design

1. Overview

Overview

2. Formulation of MIA defense:

Formulation of the optimization problem

3. Key ideas of the solution

  1. Divide the noisy space


  2. Two-phase Framework to solve the optimization problem


4. Solution





:原优化问题求解的是众多非线性约束下的概率分布,转化为对固定2个变量求解无约束优化问题,先转化约束,再消除约束)

Experimental Results

Omitted. Refer to the paper for details


Personal Response

+ Strengths:

  1. The fancy idea of using AE to defend MIA
  2. Skillful transformation and elimination when solving the optimization problem

- Weaknesses:

  1. It seems that the authors have missed an important part of noisy space grouping. Specifically, noisy space is claimed to be divided into two groups. However, it is not intuitive to understand how to ensure that both groups exist in any case, especially for group n1. And, how to group them?

【转载声明】 转载或引用本博客文章请注明出处 -- AISecPaperShare

上一篇下一篇

猜你喜欢

热点阅读