可逆神经网络的隐私泄露风险评估

doi:10.11959/j.issn.2096-109x.2023051

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (4): 29-39.doi: 10.11959/j.issn.2096-109x.2023051

• 学术论文 • 上一篇

可逆神经网络的隐私泄露风险评估

何毅凡¹^,², 张杰²^,³, 张卫明²^,³, 俞能海²^,³

¹ 中国科学技术大学信息科学技术学院，安徽合肥 230027
² 中国科学院电磁空间信息重点实验室，安徽合肥 230027
³ 中国科学技术大学网络空间安全学院，安徽合肥 230027

修回日期:2023-02-06 出版日期:2023-08-01 发布日期:2023-08-01
作者简介:何毅凡（1998- ），男，湖北武汉人，中国科学技术大学硕士生，主要研究方向为人工智能安全与隐私保护
张杰（1995- ），男，河南驻马店人，中国科学技术大学博士生，主要研究方向为人工智能安全、隐私及其版权保护
张卫明（1976- ），男，河北定州人，中国科学技术大学教授、博士生导师，主要研究方向为信息隐藏、多媒体内容安全、人工智能安全
俞能海（1964- ），男，安徽无为人，中国科学技术大学教授、博士生导师，主要研究方向为多媒体信息检索、图像处理与视频通信、数字媒体内容安全
基金资助:
国家自然科学基金(U20B2047);国家自然科学基金(62072421);国家自然科学基金(62002334);国家自然科学基金(62102386);国家自然科学基金(62121002);中国科学技术大学探索基金(YD3480002001);中央高校基本科研业务费专项基金(WK2100000011)

Privacy leakage risk assessment for reversible neural network

Yifan HE¹^,², Jie ZHANG²^,³, Weiming ZHANG²^,³, Nenghai YU²^,³

¹ School of Information Science and Technology, University of Science and Technology of China, Hefei 230027, China
² Key Laboratory of Electro-magnetic Space Information, Chinese Academy of Sciences, Hefei 230027, China
³ School of Cyber Science and Technology, University of Science and Technology of China, Hefei 230027, China

Revised:2023-02-06 Online:2023-08-01 Published:2023-08-01
Supported by:
The National Natural Science Foundation of China(U20B2047);The National Natural Science Foundation of China(62072421);The National Natural Science Foundation of China(62002334);The National Natural Science Foundation of China(62102386);The National Natural Science Foundation of China(62121002);Exploration Fund of University of Science and Technology of China(YD3480002001);Fundamental Research Funds for the Central Universities(WK2100000011)

摘要/Abstract

摘要：

近年来，深度学习已经成为多方领域的核心技术，而深度学习模型的训练过程中往往需要大量的数据，这些数据中可能含有隐私信息，包括个人身份信息（如电话号码、身份证号等）和敏感信息（如金融财务、医疗健康等）。因此，人工智能模型的隐私风险问题成为学术界的研究热点。深度学习模型的隐私研究仅局限于传统神经网络，而很少针对特殊网络结构的新兴网络（如可逆神经网络）。可逆神经网络的上层信息输入可以由下层输出直接得到，直观上讲，该结构保留了更多有关训练数据的信息，相比传统网络具有更大的隐私泄露风险。为此，提出从数据隐私泄露和模型功能隐私泄露两个层面来探讨深度网络的隐私问题，并将该风险评估策略应用到可逆神经网络。具体来说，选取了两种经典的可逆神经网络（RevNet 和i-RevNet），并使用了成员推理攻击、模型逆向攻击、属性推理攻击和模型窃取攻击 4 种攻击手段进行隐私泄露分析。实验结果表明，可逆神经网络在面对数据层面的隐私攻击时存在相比传统神经网络更严重的隐私泄露风险，而在面对模型层面的隐私攻击时存在相似的隐私泄露风险。由于可逆神经网络研究越来越多，目前被广泛被应用于各种任务，这些任务也涉及敏感数据，在实验结果分析基础上提出了一些潜在的解决方法，希望能够应用于未来可逆神经网络的发展。

关键词: 可逆神经网络, 隐私保护, 成员推理攻击, 隐私威胁

Abstract:

In recent years, deep learning has emerged as a crucial technology in various fields.However, the training process of deep learning models often requires a substantial amount of data, which may contain private and sensitive information such as personal identities and financial or medical details.Consequently, research on the privacy risk associated with artificial intelligence models has garnered significant attention in academia.However, privacy research in deep learning models has mainly focused on traditional neural networks, with limited exploration of emerging networks like reversible networks.Reversible neural networks have a distinct structure where the upper information input can be directly obtained from the lower output.Intuitively, this structure retains more information about the training data, potentially resulting in a higher risk of privacy leakage compared to traditional networks.Therefore, the privacy of reversible networks was discussed from two aspects: data privacy leakage and model function privacy leakage.The risk assessment strategy was applied to reversible networks.Two classical reversible networks were selected, namely RevNet and i-RevNet.And four attack methods were used accordingly, namely membership inference attack, model inversion attack, attribute inference attack, and model extraction attack, to analyze privacy leakage.The experimental results demonstrate that reversible networks exhibit more serious privacy risks than traditional neural networks when subjected to membership inference attacks, model inversion attacks, and attribute inference attacks.And reversible networks have similar privacy risks to traditional neural networks when subjected to model extraction attack.Considering the increasing popularity of reversible neural networks in various tasks, including those involving sensitive data, it becomes imperative to address these privacy risks.Based on the analysis of the experimental results, potential solutions were proposed which can be applied to the development of reversible networks in the future.

Key words: reversible neural network, privacy protection, membership inference attack, privacy threat

中图分类号:

TP309.7

何毅凡, 张杰, 张卫明, 俞能海. 可逆神经网络的隐私泄露风险评估[J]. 网络与信息安全学报, 2023, 9(4): 29-39.

Yifan HE, Jie ZHANG, Weiming ZHANG, Nenghai YU. Privacy leakage risk assessment for reversible neural network[J]. Chinese Journal of Network and Information Security, 2023, 9(4): 29-39.

图/表 18

图1

图2

表1

图3

图4

图5

表2

图6

表3

表4

图7

表5

表6

表7

模型窃取攻击成功率Table 7 Accuracy of model extraction attack"

网络模型	ResNet-18	RevNet-38	i-RevNet-31
ResNet-32	$86 . 97 %$	80.22%	55.23%
RevNet-38	82.03%	$83 . 38 %$	38.56%
i-RevNet-31	81.76%	72.10%	$66 . 41 %$

表7

表8

模型窃取攻击成功率（攻击模型统一为Inception V3） Table 8 Accuracy of model extraction attack (The attack model is unified as Inception V3)"

网络模型	InceptionV3
ResNet-32	$84 . 76 %$
RevNet-38	79.85%
i-RevNet-31	80.79%

表8

表9

表10

RevNet消融实验结果Table 10 Results of RevNet ablation experiment"

网络模型	成员推理攻击成功率	模型逆向攻击损失	属性推理攻击成功率
RevNet-38	$69 . 07 %$	$5 . 96 \times 1 0^{- 7}$	$48 . 02 %$
RevNet-38-A	67.15%	5.96×10^-7	47.97%
RevNet-38-B	66.37%	1.66×10^-6	47.64%

表10

表11

i-RevNet消融实验结果Table 11 Results of i-RevNet ablation experiment"

网络模型	成员推理攻击成功率	模型逆向攻击损失	属性推理攻击成功率
i-RevNet-31	$72 . 44 %$	$2 . 45 \times 1 0^{- 6}$	$48 . 96 %$
i-RevNet-31-A	71.76%	2.62×10^-6	48.06%
i-RevNet-31-B	70.18%	3.33×10^-6	46.67%

表11

参考文献 21

[1]	SHOKRI R , STRONATI M , SONG C ,et al. Membership inference attacks against machine learning models[C]// IEEE Symposium on Security and Privacy. 2017
[2]	KHOSRAVY M , NAKAMURA K , HIROSE Y ,et al. Model inversion attack:analysis under gray-box scenario on deep learning based face recognition system[J]. KSII Transactions on Internet and Information Systems, 2021,15(3): 1100-1119.
[3]	TRUONG J B , MAINI P , WALLS R ,et al. Data-free model extraction[C]// IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2021
[4]	谭作文, 张连福 . 机器学习隐私保护研究综述[J]. 软件学报, 2020,31(7): 30.
	TAN Z W , ZHANG L F . Survey on privacy preserving techniques for machine learning[J]. Journal of Software. 2020,31(7): 30.
[5]	DINH L , KRUEGER D , BENGIO Y . NICE:non-linear independent components estimation[J]. Computer Science, 2014.
[6]	GOMEZ A N , REN M , URTASUN R ,et al. The reversible residual network:backpropagation without storing activations[C]// International Conference on Neural Information Processing Systems(NIPS). 2017: 2211-2221.
[7]	JACOBSEN J H , SMEULDERS A , OYALLON E . i-RevNet:deep invertible networks[C]// International Conference on Learning Representations. 2018.
[8]	MELIS L , SONG C Z , DE-CRISTOFARO E ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proc of the IEEE Symp on Security and Privacy. 2019
[9]	TRAMèR F , ZHANG F , JUELS A ,et al. Stealing machine learning models via prediction APIs[C]// Proc of the USENIX Security Symposium. 2016: 601-618.
[10]	SALEM A , ZHANG Y , HUMBERT M ,et al. ML-Leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Network and Distributed Systems Security (NDSS) Symposium. 2019.
[11]	CHEN S I , KAHLA M , JIA R X ,et al. Knowledge-enriched distributional model inversion attacks[C]// Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). 2021: 16178-16187.
[12]	SZEGEDY C , VANHOUCKE V , IOFFE S ,et al. Rethinking the inception architecture for computer vision[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2016: 2818-2826.
[13]	LIU Y , WEN R , HE X ,et al. ML-doctor:holistic risk assess ment of inference attacks against machine learning models[C]// USENIX Security Symposium. 2022.
[14]	MEJIA F A , GAMBLE P , HAMPEL-ARIAS Z ,et al. Robust or private? adversarial training makes models more vulnerable to privacy attacks[R]. 2019.
[15]	AL-RUBAIE M , CHANG J M . Privacy-preserving machine learning:threats and solutions[J]. IEEE Security ＆ Privacy, 2019,17(2): 49-58.
[16]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// ACM SIGSAC Conference on Computer and Communications Security (CCS). 2016: 308-318.
[17]	CHOO C A C , TRAMER F , CARLINI N ,et al. Label-only membership inference attacks[J]. arXiv Preprint arXiv:2007.14321, 2020.
[18]	CHENG Z , LI Z , ZHANG J ,et al. Differentially private machine learning model against model extraction attack[C]// 2020 International Conferences on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics). 2020.
[19]	JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending againstblack-box membership inference attacks via adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 259-274.
[20]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. 2019: 739-753.
[21]	ZHANG G , LIU B , TIAN H ,et al. How does a deep learning model architecture impact its privacy[J]. arXiv Preprint arXiv:2210.11049, 2022.

网络模型	单位	通道数	参数量/MB
ResNet-32	5-5-5	16-16-32-64	0.46
RevNet-38	3-3-3	32-32-64-112	0.46
i-RevNet-31	1-3-6	8-32-128	0.48

网络模型	CIFAR10	CIFAR100	GTSRB	STL10
ResNet-32	63.88%	70.48%	71.36%	75.96%
RevNet-38	69.07% (↑5.19%)	73.54% (↑3.06%)	72.58% (↑1.22%)	81.02% (↑5.06%)
i-RevNet-31	72.44% (↑8.56%)	74.58% (↑4.10%)	74.67% (↑3.31%)	81.53% (↑5.57%)

网络模型	中间层信息的成员推理攻击	面向模型无关的成员推理攻击
ResNet-32	53.20%	63.88%
RevNet-38	68.72%	69.07%
i-RevNet-31	72.32%	72.44%

网络模型	CIFAR100	CIFAR10
ResNet-32	3.47×10^-6	4.05×10^-6
RevNet-38	6.38×10^-7	5.96×10^-7
i-RevNet-31	2.27×10^-7	2.45×10^-6

网络模型	单位	通道数
RevNet-38	3-3-3	32-32-64-112
RevNet-38-A	3-3-3	32-32-64-112
RevNet-38-B	3-3-3	32-32-64-112
i-RevNet-31	1-3-6	8-32-128
i-RevNet-31-A	1-3-6	8-32-128
i-RevNet-31-B	1-3-6	8-32-128

可逆神经网络的隐私泄露风险评估

Privacy leakage risk assessment for reversible neural network

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 18

参考文献 21

相关文章 15

Metrics

推荐阅读 0

网络模型	CelebA
ResNet-32	39.28%
RevNet-38	43.25%(↑3.97%)
i-RevNet-31	50.25%(↑10.97%)

网络模型	UTKFace
ResNet-32	46.29%
RevNet-38	48.02%（↑1.73%）
i-RevNet-31	48.96%（↑2.67%）

[1]	陈赛特, 李卫海, 姚远志, 俞能海. 轻量级K匿名增量近邻查询位置隐私保护算法[J]. 网络与信息安全学报, 2023, 9(3): 60-72.
[2]	肖敏, 毛发英, 黄永洪, 曹云飞. 基于属性签名的车载网匿名信任管理方案[J]. 网络与信息安全学报, 2023, 9(2): 33-45.
[3]	许建龙, 林健, 黎宇森, 熊智. 分布式用户隐私保护可调节的云服务个性化QoS预测模型[J]. 网络与信息安全学报, 2023, 9(2): 70-80.
[4]	孙哲, 宁洪, 殷丽华, 方滨兴. 基于教学实训靶场的“数据隐私保护”课程建设初探[J]. 网络与信息安全学报, 2023, 9(1): 178-188.
[5]	白雪, 秦宝东, 郭瑞, 郑东. 基于SM2的两方协作盲签名协议[J]. 网络与信息安全学报, 2022, 8(6): 39-51.
[6]	肖敏, 姚涛, 刘媛妮, 黄永洪. 具有隐私保护的动态高效车载云管理方案[J]. 网络与信息安全学报, 2022, 8(6): 70-83.
[7]	卢晨昕, 陈兵, 丁宁, 陈立全, 吴戈. 具有紧凑标签的基于身份匿名云审计方案[J]. 网络与信息安全学报, 2022, 8(6): 156-168.
[8]	明盛智, 朱建明, 隋智源, 张娴. 信息增值机制下在线医疗隐私保护策略[J]. 网络与信息安全学报, 2022, 8(6): 169-177.
[9]	张娴, 朱建明, 隋智源, 明盛智. 数字货币交易匿名性与监管的博弈分析[J]. 网络与信息安全学报, 2022, 8(5): 150-157.
[10]	刘峰, 杨杰, 齐佳音. 区块链密码学隐私保护技术综述[J]. 网络与信息安全学报, 2022, 8(4): 29-44.
[11]	金琳, 田有亮. 基于区块链的多权限属性隐藏电子病历共享方案[J]. 网络与信息安全学报, 2022, 8(4): 66-76.
[12]	张伟成, 卫红权, 刘树新, 普黎明. 5G移动边缘计算场景下的快速切换认证方案[J]. 网络与信息安全学报, 2022, 8(3): 154-168.
[13]	陈前昕, 毕仁万, 林劼, 金彪, 熊金波. 支持多数不规则用户的隐私保护联邦学习框架[J]. 网络与信息安全学报, 2022, 8(1): 139-150.
[14]	高振升, 曹利峰, 杜学绘. 基于区块链的访问控制技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 68-87.
[15]	杨冠群, 刘荫, 徐浩, 邢宏伟, 张建辉, 李恩堂. 基于区块链的电网可信分布式身份认证系统[J]. 网络与信息安全学报, 2021, 7(6): 88-98.