Membership Inference Attacks Against Machine Learning Models via Prediction Sensitivity

Machine learning (ML) has achieved huge success in recent years, but is also vulnerable to various attacks. In this article, we concentrate on membership inference attacks and propose Aster, which merely requires the target model's black-box API and a data sample to determine whether this sample was used to train the given ML model or not. The key idea of Aster is that the training data of a fully trained ML model usually has lower prediction sensitivities compared with that of the non-training data (i.e., testing data). Less sensitivity means that when perturbing a training sample's feature value in the corresponding feature space, the prediction of the perturbed sample obtained from the target model tends to be consistent with the original prediction. In this article, we quantify the prediction sensitivity with the Jacobian matrix which could reflect the relationship between each feature's perturbation and the corresponding prediction's change. Then we regard the samples with a lower as training data. Aster can breach the membership privacy of the target model's training data with no prior knowledge about the target model or its training data. The experiment results on four datasets show that our method outperforms three state-of-the-art inference attacks.

[1]  Michele Colajanni,et al.  Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems , 2021, Digital Threats: Research and Practice.

[2]  N. Gong,et al.  Practical Blind Membership Inference Attack via Differential Comparisons , 2021, NDSS.

[3]  Yang Zhang,et al.  Membership Leakage in Label-Only Exposures , 2020, CCS.

[4]  Nicolas Papernot,et al.  Label-Only Membership Inference Attacks , 2020, ICML.

[5]  Ninghui Li,et al.  Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap , 2020, ArXiv.

[6]  Feargus Pendlebury,et al.  Intriguing Properties of Adversarial ML Attacks in the Problem Space , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[7]  Cen Chen,et al.  Characterizing Membership Privacy in Stochastic Gradient Langevin Dynamics , 2019, AAAI.

[8]  Matt Fredrikson,et al.  Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference , 2019, USENIX Security Symposium.

[9]  Kai Peng,et al.  SocInf: Membership Inference Attacks on Social Media Health Data With Machine Learning , 2019, IEEE Transactions on Computational Social Systems.

[10]  Cordelia Schmid,et al.  White-box vs Black-box: Bayes Optimal Strategies for Membership Inference , 2019, ICML.

[11]  Jun Zhang,et al.  NPUFort: a secure architecture of DNN accelerator against model inversion attack , 2019, CF.

[12]  Amir Houmansadr,et al.  Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[13]  Le Trieu Phong,et al.  Privacy-Preserving Deep Learning via Weight Transmission , 2018, IEEE Transactions on Information Forensics and Security.

[14]  Mario Fritz,et al.  ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models , 2018, NDSS.

[15]  Valerio Bartolino,et al.  Comparing the steady state results of a range of multispecies models between and across geographical areas by the use of the jacobian matrix of yield on fishing mortality rate , 2019, Fisheries Research.

[16]  Yingjie Lao,et al.  BACKDOOR ATTACKS ON NEURAL NETWORK OPERATIONS , 2018, 2018 IEEE Global Conference on Signal and Information Processing (GlobalSIP).

[17]  Shuai Li,et al.  Tracking Control of Robot Manipulators with Unknown Models: A Jacobian-Matrix-Adaption Method , 2018, IEEE Transactions on Industrial Informatics.

[18]  Raja Giryes,et al.  Improving DNN Robustness to Adversarial Attacks using Jacobian Regularization , 2018, ECCV.

[19]  Jascha Sohl-Dickstein,et al.  Sensitivity and Generalization in Neural Networks: an Empirical Study , 2018, ICLR.

[20]  Binghui Wang,et al.  Stealing Hyperparameters in Machine Learning , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[21]  Somesh Jha,et al.  Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting , 2017, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[22]  Vitaly Shmatikov,et al.  Membership Inference Attacks Against Machine Learning Models , 2016, 2017 IEEE Symposium on Security and Privacy (SP).