Against Membership Inference Attack: Pruning is All You Need

Wang, Yijue; Wang, Chenghong; Wang, Zigeng; Zhou, Shanglin; Liu, Huan; Bi, Jinbo; Ding, Caiwen; Rajasekaran, Sanguthevar

doi:10.24963/ijcai.2021/432

Cited by 24 publications

(9 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent studies show that private training data can be recovered through the deep learning model by gradients (Zhu et al, 2019;Geiping et al, 2020;Wang et al, 2021). For instance, recent work "Deep Leakage from Gradient" (DLG) (Zhu et al, 2019) showed the shared gradients could leak private training data in image classification.…”

Section: Introductionmentioning

confidence: 99%

TAG: Gradient Attack on Transformer-based Language Models

Deng¹,

Wang²,

Li³

et al. 2021

Findings of the Association for Computational Linguistics: EMNLP 2021

Self Cite

View full text Add to dashboard Cite

Although distributed learning has increasingly gained attention in terms of effectively utilizing local devices for data privacy enhancement, recent studies show that publicly shared gradients in the training process can reveal the private training data (gradient leakage) to a third party. However, so far there hasn't been any systematic study of the gradient leakage mechanism of the Transformer based language models. In this paper, as the first attempt, we formulate the gradient attack problem on the Transformer-based language models and propose a gradient attack algorithm, TAG, to recover the local training data. Experimental results on Transformer, TinyBERT 4 , TinyBERT 6 , BERT BASE , and BERT LARGE using GLUE benchmark show that compared with DLG (Zhu et al., 2019), TAG works well on more weight distributions in recovering private training data and achieves 1.5× Recover Rate and 2.5× ROUGE-2 over prior methods without the need of ground truth label. TAG can obtain up to 88.9% tokens and up to 0.93 cosine similarity in token embeddings from private training data by attacking gradients on CoLA dataset. In addition, TAG is stronger than previous approaches on larger models, smaller dictionary size, and smaller input length.

show abstract

Section: Introductionmentioning

confidence: 99%

TAG: Gradient Attack on Transformer-based Language Models

Deng¹,

Wang²,

Li³

et al. 2021

Findings of the Association for Computational Linguistics: EMNLP 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…Jia et al [12] studied to fuzzy the confidence score vector to evade the membership classification of the attack model. Wang et al [17] reduced model storage and computational operation to defend membership inference attacks. Yin et al [18] set definitions for utility and privacy of target classifier, and formulated the design goal of the defence method as an optimization problem and solved it.…”

Section: Protection Mechanism Against Membership Inference Attackmentioning

confidence: 99%

“…Wang et al. [17] reduced model storage and computational operation to defend membership inference attacks. Yin et al.…”

Section: Related Workmentioning

confidence: 99%

“…As a result, the members and non‐members are distinguishable according to the prediction scores or the parameters' gradients in the target model. There are several defences [7–11, 13, 17, 18] have been proposed and most of them try to reduce overfitting by various regularization technique, such as L2 regularization [7], min–max game based adversarial regularization [11, 18], and dropout [9]. In addition, Song et al.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Privacy‐preserving generative framework for images against membership inference attacks

Yang

Miao

et al. 2022

IET Communications

View full text Add to dashboard Cite

Machine learning has become an integral part of modern intelligent systems in all aspects of life. Membership inference attacks (MIAs), as the significant model attacks, also jeopardize the privacy of the intelligent systems. Previous works on defending MIAs concentrate on the model output perturbation or tampering with the training process. However, data and model reuse are common in intelligent systems, which results in the lack of scalability of previous defending works. This paper proposes a new privacy-preserving framework for images to transform source data into synthetic data to train models against MIAs. The synthetic data makes it easy to defend MIAs during data and model reuse to improve the scheme's scalability. The framework generates synthetic data satisfying differential privacy through the variational autoencoder model's information extraction and data generation capabilities to improve model accuracy. A noise addition mechanism with metric privacy for the latent code generated from source data is proposed, where noise is the product of Γ-distribution and unit hyper-sphere samples. Moreover, it is proved that the synthetic data also satisfies metric privacy. The experimental evaluations demonstrate that the framework reduces MIAs' attack accuracy to about 0.5 and maintains higher utility than DP-SGD under the same setting.

show abstract

“…For privacy preserving, DP is able to protect privacy with the guarantees of mathematical proof from the perspective of data reconstruction and membership inference. Unfortunately, it imposes a significant accuracy loss for protecting complicated models [29]. Homomorphic encryption brings too much computation overhead, making it unsuitable for models with relatively large numbers of parameters.…”

Section: Related Workmentioning

confidence: 99%

Secure and Efficient Decentralized Federated Learning with Data Representation Protection

Qin¹,

Deng²,

Yan³

et al. 2022

Preprint

View full text Add to dashboard Cite

Federated learning (FL) is a promising technical support to the vision of ubiquitous artificial intelligence in the sixth generation (6G) wireless communication network. However, traditional FL heavily relies on a trusted centralized server. Besides, FL is vulnerable to poisoning attacks, and the global aggregation of model updates makes the private training data under the risk of being reconstructed. What's more, FL suffers from efficiency problem due to heavy communication cost. Although decentralized FL eliminates the problem of the central dependence of traditional FL, it makes other problems more serious. In this paper, we propose BlockDFL, an efficient fully peer-to-peer (P2P) framework for decentralized FL. It integrates gradient compression and our designed voting mechanism with blockchain to efficiently coordinate multiple peer participants without mutual trust to carry out decentralized FL, while preventing data from being reconstructed according to transmitted model updates. Extensive experiments conducted on two real-world datasets exhibit that BlockDFL obtains competitive accuracy compared to centralized FL and can defend against poisoning attacks while achieving efficiency and scalability. Especially when the proportion of malicious participants is as high as 40 percent, BlockDFL can still preserve the accuracy of FL, which outperforms existing fully decentralized FL frameworks.

show abstract

Against Membership Inference Attack: Pruning is All You Need

Cited by 24 publications

References 0 publications

TAG: Gradient Attack on Transformer-based Language Models

TAG: Gradient Attack on Transformer-based Language Models

Privacy‐preserving generative framework for images against membership inference attacks

Secure and Efficient Decentralized Federated Learning with Data Representation Protection

Contact Info

Product

Resources

About