- 基于本文的几个跟踪研究
ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learn
MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples - 背景了解补充
从安全视角对机器学习的部分思考
基础知识补充回顾
-
精确率(precision) 、召回率(recall) : 其实只是分母不同,一个分母是预测为正的样本数,另一个是原来样本中所有的正样本数。
- precision 精确率是针对我们预测结果而言的,它表示的是预测为正的样本中有多少是真正的正样本。那么预测为正就有两种可能了,一种就是把正类预测为正类(TP),另一种就是把负类预测为正类(FP),因此 P r e c i s i o n = T P T P + F P Precision=\frac{TP}{TP+FP} Precision=TP+FPTP
- recall 召回率是针对我们原来的样本而言的,它表示的是样本中的正例有多少被预测正确了。那也有两种可能,一种是把原来的正类预测成正类(TP),另一种就是把原来的正类预测为负类(FN),因此 R e c a l l = T P T P + F N Recall=\frac{TP}{TP+FN} Recall=TP+FNTP
Introduction
- 本文的主要贡献
quantify membership information leakage through the prediction outputs of machine learning models - 实现思路
turn machine learning against itself and train an attack model
实质即是把membership inference转变成一个2分类问题, 来区分target model对训练中遇到的输入 和 没有遇到的输入的behavior - 总体方法
shadow training → → → ground truth about membership → → → train the attack model - 用来 generate training data for the shadow models 的三种方法
- uses black-box access to the target model to synthesize data
- uses statistics about the population
- assumes that the adversary has access to a potentially noisy version of the target ′ ' ′s training dataset
- Problem Statement · 本文基于的假设
- The attacker has query access to the model and can obtain the model ′ '