Demystifying Membership Inference Attacks in Machine Learning as a Service

Truex, Stacey; Ling, Liu; Gürsoy, Mehmet Emre; Yu, Lei; Wei, Wüchang

doi:10.1109/tsc.2019.2897554

Cited by 196 publications

(141 citation statements)

References 35 publications

Supporting

Mentioning

123

Contrasting

Order By: Relevance

“…We also advocate multi-tier strategic ensemble learning [17,36]. We argue that such cross-layer hybrid approach can combine several ensemble strategies to further increase the diversity of ensemble members, providing more robust safeguards for the inputs to DNN models, the training of DNN models and the outputs of DNN models.…”

Section: Ensemble Consensus Methodsmentioning

confidence: 99%

Deep Neural Network Ensembles Against Deception: Ensemble Diversity, Accuracy and Robustness

Liu

Wei

Chow

et al. 2019

2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems (MASS)

Self Cite

View full text Add to dashboard Cite

Ensemble learning is a methodology that integrates multiple DNN learners for improving prediction performance of individual learners. Diversity is greater when the errors of the ensemble prediction is more uniformly distributed. Greater diversity is highly correlated with the increase in ensemble accuracy. Another attractive property of diversity optimized ensemble learning is its robustness against deception: an adversarial perturbation attack can mislead one DNN model to misclassify but may not fool other ensemble DNN members consistently. In this paper we first give an overview of the concept of ensemble diversity and examine the three types of ensemble diversity in the context of DNN classifiers. We then describe a set of ensemble diversity measures, a suite of algorithms for creating diversity ensembles and for performing ensemble consensus (voted or learned) for generating high accuracy ensemble output by strategically combining outputs of individual members. This paper concludes with a discussion on a set of open issues in quantifying ensemble diversity for robust deep learning.

show abstract

Section: Ensemble Consensus Methodsmentioning

confidence: 99%

Deep Neural Network Ensembles Against Deception: Ensemble Diversity, Accuracy and Robustness

Liu

Wei

Chow

et al. 2019

2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems (MASS)

Self Cite

View full text Add to dashboard Cite

show abstract

“…We note that all experiments evaluated the attack model against an equal number of instances in the target training dataset D as those not in D. The baseline membership inference accuracy is therefore 50%. We refer readers to [14] for more details on these datasets and experimental set up.…”

Section: Datasetmentioning

confidence: 99%

“…Figure 1 gives a workflow sketch of membership inference attack generation algorithm. We use the shadow model technique documented in [17] and [14] to describe the attack generation process of membership inference attacks, while noting that many of the processes may be applicable to other attack generation techniques.…”

Section: B Attack Generationmentioning

confidence: 99%

“…1) Generating Shadow Data and Substitute Models: In the shadow model technique, an attacker must first generate or access a shadow dataset, a synthetic labeled dataset D to mirror the data in D. While [17] and [14] both outline potential approaches to generating such a synthetic dataset from scratch, we would like to note that in many cases, attackers may also have examples of their own which can be used as seeds for the shadow data generation process or to bootstrap their shadow dataset. Consider our example of the financial institution.…”

Section: B Attack Generationmentioning

confidence: 99%

“…These results indicate that (1) the same strategy used for selecting the shadow model type may not be optimal for the attack model and (2) shadow models of different types other than the target model type may still lead to successful membership inference attacks. We refer readers to [14] for additional detail. The transferability study in Table III indicates an attacker does not always need to know the exact target model configuration to launch an effective membership inference attack as attack models can be transferable from one target model type to another.…”

Section: Transferability Of Membership Inferencementioning

confidence: 99%

See 2 more Smart Citations

Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability

Truex

Liu

Gürsoy

et al. 2019

2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)

Self Cite

View full text Add to dashboard Cite

Membership inference attacks seek to infer the membership of individual training instances of a privately trained model. This paper presents a membership privacy analysis and evaluation system, called MPLens, with three unique contributions. First, through MPLens, we demonstrate how membership inference attack methods can be leveraged in adversarial machine learning. Second, through MPLens, we highlight how the vulnerability of pre-trained models under membership inference attack is not uniform across all classes, particularly when the training data itself is skewed. We show that risk from membership inference attacks is routinely increased when models use skewed training data. Finally, we investigate the effectiveness of differential privacy as a mitigation technique against membership inference attacks. We discuss the trade-offs of implementing such a mitigation strategy with respect to the model complexity, the learning task complexity, the dataset complexity and the privacy parameter settings. Our empirical results reveal that (1) minority groups within skewed datasets display increased risk for membership inference and (2) differential privacy presents many challenging trade-offs as a mitigation technique to membership inference risk.

show abstract

Security of Distributed Intelligence in Edge Computing: Threats and Countermeasures

Ansari

Alsamhi

Qiao

et al. 2020

Palgrave Studies in Digital Business &Amp; Enabling Technologies

View full text Add to dashboard Cite

Rapid growth in the amount of data produced by IoT sensors and devices has led to the advent of edge computing wherein the data is processed at a point at or near to its origin. This facilitates lower latency, as well as data security and privacy by keeping the data localized to the edge node. However, due to the issues of resource-constrained hardware and software heterogeneities, most edge computing systems are prone to a large variety of attacks. Furthermore, the recent trend of incorporating intelligence in edge computing systems has led to its own security issues such as data and model poisoning, and evasion attacks. This chapter presents a discussion on the most pertinent threats to edge intelligence.

show abstract

Demystifying Membership Inference Attacks in Machine Learning as a Service

Cited by 196 publications

References 35 publications

Deep Neural Network Ensembles Against Deception: Ensemble Diversity, Accuracy and Robustness

Deep Neural Network Ensembles Against Deception: Ensemble Diversity, Accuracy and Robustness

Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability

Security of Distributed Intelligence in Edge Computing: Threats and Countermeasures

Contact Info

Product

Resources

About