Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture

A membership inference attack (MIA) poses privacy risks for the training data of a machine learning model. With an MIA, an attacker guesses if the target data are a member of the training dataset. The state-of-the-art defense against MIAs, distillation for membership privacy (DMP), requires not only private data for protection but a large amount of unlabeled public data. However, in certain privacy-sensitive domains, such as medicine and finance, the availability of public data is not guaranteed. Moreover, a trivial method for generating public data by using generative adversarial networks significantly decreases the model accuracy, as reported by the authors of DMP. To overcome this problem, we propose a novel defense against MIAs that uses knowledge distillation without requiring public data. Our experiments show that the privacy protection and accuracy of our defense are comparable to those of DMP for the benchmark tabular datasets used in MIA research, Purchase100 and Texas100, and our defense has a much better privacy-utility trade-off than those of the existing defenses that also do not use public data for the image dataset CIFAR10.

show abstract

“…After we submitted our work to PETS 2022 Issue 2, Tang et al[39] published a concurrent and independent work similar to ours in arXiv.…”

mentioning

confidence: 66%

Knowledge Cross-Distillation for Membership Privacy

Chourasia

Enkhtaivan²,

Ito³

et al. 2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…Note added. Although this paper was submitted to a certain conference and currently under review, we recently became aware of a concurrent independent work related to KCD by Tang et al [72].…”

Section: Discussionmentioning

confidence: 99%

Knowledge Cross-Distillation for Membership Privacy

Chourasia¹,

Enkhtaivan²,

Ito³

et al. 2021

Preprint

View full text Add to dashboard Cite

A membership inference attack (MIA) poses privacy risks on the training data of a machine learning model. With an MIA, an attacker guesses if the target data are a member of the training dataset. The stateof-the-art defense against MIAs, distillation for membership privacy (DMP), requires not only private data to protect but a large amount of unlabeled public data. However, in certain privacy-sensitive domains, such as medical and financial, the availability of public data is not obvious. Moreover, a trivial method to generate the public data by using generative adversarial networks significantly decreases the model accuracy, as reported by the authors of DMP. To overcome this problem, we propose a novel defense against MIAs using knowledge distillation without requiring public data. Our experiments show that the privacy protection and accuracy of our defense are comparable with those of DMP for the benchmark tabular datasets used in MIA researches, Purchase100 and Texas100, and our defense has much better privacy-utility trade-off than those of the existing defenses without using public data for image dataset CIFAR10.

show abstract

“…It restricts the private classifier's direct access to the private training dataset, thus significantly reduces the membership information leakage. Following DMP, there are two studies SELENA [12] and CKD/PCKD [13] which both split the original dataset into subsets, and leverage the subset models to distill the final public model. The advantage of these two DMP followers is to avoid the need for extra public data that may be hard to obtain in some applications.…”

Section: B Defense On Miasmentioning

confidence: 99%

“…However, it is not trivial to apply them directly on image translation tasks. As the sample sizes of datasets in image translation are generally smaller than those in classification, splitting the data and using subsets in training as in [12], [13] brings more risks of overfitting. Moreover, the major task of the private teacher model in [11] is to select the data by the entropy of the prediction, but the output of an image translation task does not have such entropy information, which indicates [11] cannot be fully utilized on image translation.…”

Section: Introductionmentioning

confidence: 99%

Membership Privacy Protection for Image Translation Models via Adversarial Knowledge Distillation

Alvar¹,

Wang²,

Pei³

et al. 2022

Preprint

View full text Add to dashboard Cite

Image-to-image translation models are shown to be vulnerable to the Membership Inference Attack (MIA), in which the adversary's goal is to identify whether a sample is used to train the model or not. With daily increasing applications based on image-to-image translation models, it is crucial to protect the privacy of these models against MIAs.We propose adversarial knowledge distillation (AKD) as a defense method against MIAs for image-to-image translation models. The proposed method protects the privacy of the training samples by improving the generalizability of the model. We conduct experiments on the image-to-image translation models and show that AKD achieves the state-of-the-art utility-privacy tradeoff by reducing the attack performance up to 38.9% compared with the regular training model at the cost of a slight drop in the quality of the generated output images. The experimental results also indicate that the models trained by AKD generalize better than the regular training models. Furthermore, compared with existing defense methods, the results show that at the same privacy protection level, image translation models trained by AKD generate outputs with higher quality; while at the same quality of outputs, AKD enhances the privacy protection over 30%.

show abstract

Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture

Cited by 6 publications

References 28 publications

Knowledge Cross-Distillation for Membership Privacy

Knowledge Cross-Distillation for Membership Privacy

Knowledge Cross-Distillation for Membership Privacy

Membership Privacy Protection for Image Translation Models via Adversarial Knowledge Distillation

Contact Info

Product

Resources

About