可逆神经网络的隐私泄露风险评估

doi:10.11959/j.issn.2096-109x.2023051

Abstract

Abstract:

In recent years, deep learning has emerged as a crucial technology in various fields.However, the training process of deep learning models often requires a substantial amount of data, which may contain private and sensitive information such as personal identities and financial or medical details.Consequently, research on the privacy risk associated with artificial intelligence models has garnered significant attention in academia.However, privacy research in deep learning models has mainly focused on traditional neural networks, with limited exploration of emerging networks like reversible networks.Reversible neural networks have a distinct structure where the upper information input can be directly obtained from the lower output.Intuitively, this structure retains more information about the training data, potentially resulting in a higher risk of privacy leakage compared to traditional networks.Therefore, the privacy of reversible networks was discussed from two aspects: data privacy leakage and model function privacy leakage.The risk assessment strategy was applied to reversible networks.Two classical reversible networks were selected, namely RevNet and i-RevNet.And four attack methods were used accordingly, namely membership inference attack, model inversion attack, attribute inference attack, and model extraction attack, to analyze privacy leakage.The experimental results demonstrate that reversible networks exhibit more serious privacy risks than traditional neural networks when subjected to membership inference attacks, model inversion attacks, and attribute inference attacks.And reversible networks have similar privacy risks to traditional neural networks when subjected to model extraction attack.Considering the increasing popularity of reversible neural networks in various tasks, including those involving sensitive data, it becomes imperative to address these privacy risks.Based on the analysis of the experimental results, potential solutions were proposed which can be applied to the development of reversible networks in the future.

Key words: reversible neural network, privacy protection, membership inference attack, privacy threat

CLC Number:

TP309.7

Yifan HE, Jie ZHANG, Weiming ZHANG, Nenghai YU. Privacy leakage risk assessment for reversible neural network[J]. Chinese Journal of Network and Information Security, 2023, 9(4): 29-39.

Figures/Tables 18

网络模型	ResNet-18	RevNet-38	i-RevNet-31
ResNet-32	$86 . 97 %$	80.22%	55.23%
RevNet-38	82.03%	$83 . 38 %$	38.56%
i-RevNet-31	81.76%	72.10%	$66 . 41 %$

网络模型	InceptionV3
ResNet-32	$84 . 76 %$
RevNet-38	79.85%
i-RevNet-31	80.79%

网络模型	成员推理攻击成功率	模型逆向攻击损失	属性推理攻击成功率
RevNet-38	$69 . 07 %$	$5 . 96 \times 1 0^{- 7}$	$48 . 02 %$
RevNet-38-A	67.15%	5.96×10^-7	47.97%
RevNet-38-B	66.37%	1.66×10^-6	47.64%

网络模型	成员推理攻击成功率	模型逆向攻击损失	属性推理攻击成功率
i-RevNet-31	$72 . 44 %$	$2 . 45 \times 1 0^{- 6}$	$48 . 96 %$
i-RevNet-31-A	71.76%	2.62×10^-6	48.06%
i-RevNet-31-B	70.18%	3.33×10^-6	46.67%

References 21

[1]	SHOKRI R , STRONATI M , SONG C ,et al. Membership inference attacks against machine learning models[C]// IEEE Symposium on Security and Privacy. 2017
[2]	KHOSRAVY M , NAKAMURA K , HIROSE Y ,et al. Model inversion attack:analysis under gray-box scenario on deep learning based face recognition system[J]. KSII Transactions on Internet and Information Systems, 2021,15(3): 1100-1119.
[3]	TRUONG J B , MAINI P , WALLS R ,et al. Data-free model extraction[C]// IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2021
[4]	谭作文, 张连福 . 机器学习隐私保护研究综述[J]. 软件学报, 2020,31(7): 30.
	TAN Z W , ZHANG L F . Survey on privacy preserving techniques for machine learning[J]. Journal of Software. 2020,31(7): 30.
[5]	DINH L , KRUEGER D , BENGIO Y . NICE:non-linear independent components estimation[J]. Computer Science, 2014.
[6]	GOMEZ A N , REN M , URTASUN R ,et al. The reversible residual network:backpropagation without storing activations[C]// International Conference on Neural Information Processing Systems(NIPS). 2017: 2211-2221.
[7]	JACOBSEN J H , SMEULDERS A , OYALLON E . i-RevNet:deep invertible networks[C]// International Conference on Learning Representations. 2018.
[8]	MELIS L , SONG C Z , DE-CRISTOFARO E ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proc of the IEEE Symp on Security and Privacy. 2019
[9]	TRAMèR F , ZHANG F , JUELS A ,et al. Stealing machine learning models via prediction APIs[C]// Proc of the USENIX Security Symposium. 2016: 601-618.
[10]	SALEM A , ZHANG Y , HUMBERT M ,et al. ML-Leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Network and Distributed Systems Security (NDSS) Symposium. 2019.
[11]	CHEN S I , KAHLA M , JIA R X ,et al. Knowledge-enriched distributional model inversion attacks[C]// Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). 2021: 16178-16187.
[12]	SZEGEDY C , VANHOUCKE V , IOFFE S ,et al. Rethinking the inception architecture for computer vision[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). 2016: 2818-2826.
[13]	LIU Y , WEN R , HE X ,et al. ML-doctor:holistic risk assess ment of inference attacks against machine learning models[C]// USENIX Security Symposium. 2022.
[14]	MEJIA F A , GAMBLE P , HAMPEL-ARIAS Z ,et al. Robust or private? adversarial training makes models more vulnerable to privacy attacks[R]. 2019.
[15]	AL-RUBAIE M , CHANG J M . Privacy-preserving machine learning:threats and solutions[J]. IEEE Security ＆ Privacy, 2019,17(2): 49-58.
[16]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// ACM SIGSAC Conference on Computer and Communications Security (CCS). 2016: 308-318.
[17]	CHOO C A C , TRAMER F , CARLINI N ,et al. Label-only membership inference attacks[J]. arXiv Preprint arXiv:2007.14321, 2020.
[18]	CHENG Z , LI Z , ZHANG J ,et al. Differentially private machine learning model against model extraction attack[C]// 2020 International Conferences on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber,Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics). 2020.
[19]	JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending againstblack-box membership inference attacks via adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 259-274.
[20]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. 2019: 739-753.
[21]	ZHANG G , LIU B , TIAN H ,et al. How does a deep learning model architecture impact its privacy[J]. arXiv Preprint arXiv:2210.11049, 2022.

Metrics

Recommended 0

No Suggested Reading articles found!

网络模型	单位	通道数	参数量/MB
ResNet-32	5-5-5	16-16-32-64	0.46
RevNet-38	3-3-3	32-32-64-112	0.46
i-RevNet-31	1-3-6	8-32-128	0.48

网络模型	CIFAR10	CIFAR100	GTSRB	STL10
ResNet-32	63.88%	70.48%	71.36%	75.96%
RevNet-38	69.07% (↑5.19%)	73.54% (↑3.06%)	72.58% (↑1.22%)	81.02% (↑5.06%)
i-RevNet-31	72.44% (↑8.56%)	74.58% (↑4.10%)	74.67% (↑3.31%)	81.53% (↑5.57%)

网络模型	中间层信息的成员推理攻击	面向模型无关的成员推理攻击
ResNet-32	53.20%	63.88%
RevNet-38	68.72%	69.07%
i-RevNet-31	72.32%	72.44%

网络模型	CIFAR100	CIFAR10
ResNet-32	3.47×10^-6	4.05×10^-6
RevNet-38	6.38×10^-7	5.96×10^-7
i-RevNet-31	2.27×10^-7	2.45×10^-6

网络模型	单位	通道数
RevNet-38	3-3-3	32-32-64-112
RevNet-38-A	3-3-3	32-32-64-112
RevNet-38-B	3-3-3	32-32-64-112
i-RevNet-31	1-3-6	8-32-128
i-RevNet-31-A	1-3-6	8-32-128
i-RevNet-31-B	1-3-6	8-32-128

Privacy leakage risk assessment for reversible neural network

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 21

Related Articles 15

Metrics

Recommended 0

网络模型	CelebA
ResNet-32	39.28%
RevNet-38	43.25%(↑3.97%)
i-RevNet-31	50.25%(↑10.97%)

网络模型	UTKFace
ResNet-32	46.29%
RevNet-38	48.02%（↑1.73%）
i-RevNet-31	48.96%（↑2.67%）

[1]	Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80.
[2]	Zhe SUN, Hong NING, Lihua YIN, Binxing FANG. Preliminary study on the construction of a data privacy protection course based on a teaching-in-practice range [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 178-188.
[3]	Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51.
[4]	Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83.
[5]	Chenxin LU, Bing CHEN, Ning DING, Liquan CHEN, Ge WU. Identity-based anonymous cloud auditing scheme with compact tags [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 156-168.
[6]	Shengzhi MING, Jianming ZHU, Zhiyuan SUI, Xian ZHANG. Online medical privacy protection strategy under information value-added mechanism [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 169-177.
[7]	Xian ZHANG, Jianming ZHU, Zhiyuan SUI, Shengzhi MING. Analysis on anonymity and regulation of digital currency transactions based on game theory [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 150-157.
[8]	Feng LIU, Jie YANG, Jiayin QI. Survey on blockchain privacy protection techniques in cryptography [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 29-44.
[9]	Lin JIN, Youliang TIAN. Multi-authority attribute hidden for electronic medical record sharing scheme based on blockchain [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 66-76.
[10]	Weicheng ZHANG, Hongquan WEI, Shuxin LIU, Liming PU. Fast handover authentication scheme in 5G mobile edge computing scenarios [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 154-168.
[11]	Zhensheng GAO, Lifeng CAO, Xuehui DU. Research progress of access control based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 68-87.
[12]	Chuanxin ZHOU, Yi SUN, Degang WANG, Huawei GE. Survey of federated learning research [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 77-92.
[13]	Rongna XIE, Xiaonan FAN, Lin YUAN, Zichen GUO, Jiayu ZHU, Guozhen SHI. Research on extended access control mechanism in online social network [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 123-131.
[14]	Zhanhui YUAN, Zhi YANG, Hongqi ZHANG, Shuyuan JIN, Xuehui DU. Android complex information flow analysis method based on communicating sequential process [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 156-168.
[15]	Kui REN, Quanrun MENG, Shoukun YAN, Zhan QIN. Survey of artificial intelligence data security and privacy protection [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 1-10.