ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Salem, Ahmed; Zhang, Yang; Humbert, Mathias; Berrang, Pascal; Fritz, Mario; Backes, Michael

doi:10.14722/ndss.2019.23119

Cited by 526 publications

(771 citation statements)

References 28 publications

Supporting

Mentioning

761

Contrasting

Order By: Relevance

“…Membership inference attacks [24], [25] attempt to determine if a record obtained by an adversary was part of the original training data of the model. Whilst this attack does not compromise the security of the model, it breaches the privacy of the individual records.…”

Section: Related Workmentioning

confidence: 99%

“…These attacks create a shadow model [24] to mimic the behavior of the target model. Salem et al [25] construct a shadow model using only positive class samples and negative noise generated via uniformly random feature vectors. However it is hypothesized that these random samples belong to non-members, i.e., the negative class [25, §V.B].…”

Section: Related Workmentioning

confidence: 99%

“…3 We note that a key difference in the use of machine learning in biometric authentication as compared to its use in other areas (e.g., predicting likelihood of diseases through a healthcare dataset) is that the system should only output its decision: accept or reject [23], and not the detailed confidence values, i.e., confidence of the accept or reject decision. This makes our setting different from membership inference attacks where it is assumed that the model returns a prediction vector, where each element is the confidence (probability) that the associated class is the likely label of the input sample [24], [25]. In other words, less information is leaked in biometric authentication.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Resilience of Biometric Authentication Systems against Random Inputs

Zhao¹,

Asghar²,

Kâafar³

2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

We assess the security of machine learning based biometric authentication systems against an attacker who submits uniform random inputs, either as feature vectors or raw inputs, in order to find an accepting sample of a target user. The average false positive rate (FPR) of the system, i.e., the rate at which an impostor is incorrectly accepted as the legitimate user, may be interpreted as a measure of the success probability of such an attack. However, we show that the success rate is often higher than the FPR. In particular, for one reconstructed biometric system with an average FPR of 0.03, the success rate was as high as 0.78. This has implications for the security of the system, as an attacker with only the knowledge of the length of the feature space can impersonate the user with less than 2 attempts on average. We provide detailed analysis of why the attack is successful, and validate our results using four different biometric modalities and four different machine learning classifiers. Finally, we propose mitigation techniques that render such attacks ineffective, with little to no effect on the accuracy of the system.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Resilience of Biometric Authentication Systems against Random Inputs

Zhao¹,

Asghar²,

Kâafar³

2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…The attack technique proposed in [17], however, requires computational power and involves the training of multiple machine learning models. The techniques proposed in [18] are different still in that they require the attacker to develop effective threshold values. Figure 1 gives a workflow sketch of membership inference attack generation algorithm.…”

Section: B Attack Generationmentioning

confidence: 99%

“…The membership inference attack against machine learning models was first presented in [17] where the authors proposed the shadow model attack. [14] characterized attack vulnerability with respect to different model types and datasets and introduced the vulnerability of loosely federated systems while the authors in [18] relax adversarial assumptions and generate a model and data independent attacker. Hayes et.…”

Section: Related Workmentioning

confidence: 99%

Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability

Truex

Liu

Gürsoy

et al. 2019

2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)

View full text Add to dashboard Cite

Membership inference attacks seek to infer the membership of individual training instances of a privately trained model. This paper presents a membership privacy analysis and evaluation system, called MPLens, with three unique contributions. First, through MPLens, we demonstrate how membership inference attack methods can be leveraged in adversarial machine learning. Second, through MPLens, we highlight how the vulnerability of pre-trained models under membership inference attack is not uniform across all classes, particularly when the training data itself is skewed. We show that risk from membership inference attacks is routinely increased when models use skewed training data. Finally, we investigate the effectiveness of differential privacy as a mitigation technique against membership inference attacks. We discuss the trade-offs of implementing such a mitigation strategy with respect to the model complexity, the learning task complexity, the dataset complexity and the privacy parameter settings. Our empirical results reveal that (1) minority groups within skewed datasets display increased risk for membership inference and (2) differential privacy presents many challenging trade-offs as a mitigation technique to membership inference risk.

show abstract

Security of federated learning for cloud‐edge intelligence collaborative computing

Yang

Zheng

Zhang

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

Federated Learning (FL) is one of the key technologies to solve privacy protection for cloud-edge intelligent collaborative computing, and its security and privacy issues have attracted extensive attention from academia and industry. FL is a distributed privacy protection framework. Multiple edged nodes or servers jointly train a machine learning model by sharing model parameters without exchanging local data. However, there are still many security risks and privacy threats in FL in edge-cloud collaborative computing. In this paper, we mainly discuss the security and privacy challenges on FL in collaborative computing at the edge. First, we introduce the principle, classification, and threat model of FL in edge-cloud collaboration, which helps understand the challenges faced by edgecloud collaborative computing. Second, privacy leakage attacks and poisoning attacks launched by adversaries or honest but curious actors are summarized and compared. Then, the problems existing on the attack method are summarized and analyzed. Finally, the future development direction of FL in the field of edgecloud collaborative computing is further discussed.

show abstract

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Cited by 526 publications

References 28 publications

On the Resilience of Biometric Authentication Systems against Random Inputs

On the Resilience of Biometric Authentication Systems against Random Inputs

Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability

Security of federated learning for cloud‐edge intelligence collaborative computing

Contact Info

Product

Resources

About