MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples

[CCS’19] MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples

Keywords: Membership Inference Attack, Adversarial Example
Takeaways: This paper proposed a fancy idea of defending MIA attacks by leveraging AE attack to ATTACK attackers. The defense outperforms counterparts by strictly bounding the utility-loss of confidence score vector, thus achieving optimal trade-off between utility and privacy.



Background

1. Membership Inference Attacks

Membership Inference Attacks

In a nutshell, an attacker trains a binary classifier, which takes a data sample’s confidence score vector predicted by the target classifier as an input and predicts
whether the data sample is a member or non-member of the target classifier’s training dataset

MIA leads to:

  1. severe privacy violations (For some sensitive areas using big data such as health-care )
  2. damages the model provider’s intellectual property (By stealing well-processed training data)

A major reason why membership inference attacks succeed is that the target classifier is overfitted:
As a result, the confidence score vectors predicted by the target classifier are distinguishable for members and non-members of the training dataset.

2. Existing defense against MIA:
  • Regularization based defenses
    • L2-Regularizer
    • Min-Max Game
    • Dropout
  • Ensemble method
    • Model Stacking
  • Differential privacy
    • DP-SGD

Refer to the paper for details


Design

1. Overview

Overview

  • Goad 1: The attack classifier is inaccurate at inferring the member/non-members of the target classifier’s training dataset
  • Goad 2: The utility-loss of the confidence score vector is bounded
2. Formulation of MIA defense:

Formulation of the optimization problem

3. Key ideas of the solution
  1. Divide the noisy space
  2. Two-phase Framework to solve the optimization problem
4. Solution





:原优化问题求解的是众多非线性约束下的概率分布,转化为对固定2个变量求解无约束优化问题,先转化约束,再消除约束)


Experimental Results

Omitted. Refer to the paper for details


Personal Response

+ Strengths:
  1. The fancy idea of using AE to defend MIA
  2. Skillful transformation and elimination when solving the optimization problem
- Weaknesses:
  1. It seems that the authors have missed an important part of noisy space grouping. Specifically, noisy space is claimed to be divided into two groups. However, it is not intuitive to understand how to ensure that both groups exist in any case, especially for group n1. And, how to group them?

【转载声明】 转载或引用本博客文章请注明出处

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值