通信学报 ›› 2021, Vol. 42 ›› Issue (10): 197-210.doi: 10.11959/j.issn.1000-436x.2021209
陈晋音1,2, 上官文昌2, 张京京3, 郑海斌2, 郑雅羽2, 张旭鸿4
修回日期:
2021-09-27
出版日期:
2021-10-25
发布日期:
2021-10-01
作者简介:
陈晋音(1982- ),女,浙江宁波人,博士,浙江工业大学教授,主要研究方向为智能计算、数据挖掘、网络安全等基金资助:
Jinyin CHEN1,2, Wenchang SHANGGUAN2, Jingjing ZHANG3, Haibin ZHENG2, Yayu ZHENG2, Xuhong ZHANG4
Revised:
2021-09-27
Online:
2021-10-25
Published:
2021-10-01
Supported by:
摘要:
针对现有成员推理攻击(MIA)在面向正常拟合迁移学习模型时性能较差的问题,对迁移学习模型在正常拟合情况下的 MIA 进行了系统的研究,设计异常样本检测获取容易受攻击的数据样本,实现对单个样本的成员推理攻击。最终,将提出的攻击方法在 4 种图像数据集上展开攻击验证,结果表明,所提 MIA 有较好的攻击性能。例如,从VGG16(用Caltech101预训练)迁移的Flowers102分类器上,所提MIA实现了83.15%的成员推理精确率,揭示了在迁移学习环境下,即使不访问教师模型,通过访问学生模型依然能实现对教师模型的MIA。
中图分类号:
陈晋音, 上官文昌, 张京京, 郑海斌, 郑雅羽, 张旭鸿. 面向正常拟合迁移学习模型的成员推理攻击[J]. 通信学报, 2021, 42(10): 197-210.
Jinyin CHEN, Wenchang SHANGGUAN, Jingjing ZHANG, Haibin ZHENG, Yayu ZHENG, Xuhong ZHANG. Membership inference attacks against transfer learning for generalized model[J]. Journal on Communications, 2021, 42(10): 197-210.
表1
攻击I:访教-攻教模式下不同攻击的攻击性能比较"
比较项 | 方法 | Caltech101 | Flowers102 | CIFAR100 | PubFig83 | |||||||||||
VGG16 | VGG19 | Resnet50 | VGG16 | VGG19 | Resnet50 | VGG16 | VGG19 | Resnet50 | VGG16 | VGG19 | Resnet50 | |||||
FMIA | 62 | 60 | 59 | 42 | 43 | 40 | 76 | 73 | 77 | 35 | 31 | 32 | ||||
异常样本 | GMIA | 62 | 60 | 59 | 42 | 43 | 40 | 76 | 73 | 77 | 35 | 31 | 32 | |||
PMIA | 51 | 53 | 50 | 29 | 27 | 28 | 58 | 58 | 54 | 23 | 22 | 20 | ||||
TMIA | 62 | 60 | 59 | 42 | 43 | 40 | 76 | 73 | 77 | 35 | 31 | 32 | ||||
FMIA | 42.41% | 48.23% | 45.12% | 40.17% | 46.66% | 44.31% | 48.03% | 47.64% | 49.46% | 42.49% | 46.31% | 49.15% | ||||
精确率 | GMIA | 51.39% | 52.87% | 51.01% | 48.35% | 46.12% | 47.16% | 43.93% | 45.63% | 46.29% | 41.27% | 51.50% | 41.30% | |||
PMIA | 92.64% | 93.83% | 91.64% | 94.22% | 93.99% | 93.23% | 94.33% | 91.38% | 94.09% | 90.66% | 92.28% | 94.86% | ||||
TMIA | 93.60% | 93.49% | 93.54% | 93.01% | 90.08% | 90.20% | 92.34% | 90.74% | ||||||||
FMIA | 54.42% | 52.59% | 53.37% | 48.05% | 47.33% | 45.27% | 40.26% | 41.45% | 40.48% | 44.02% | 41.63% | 45.48% | ||||
覆盖率 | GMIA | 54.69% | 53.60% | 53.81% | 43.68% | 44.00% | 44.92% | 41.30% | 41.27% | 43.18% | 48.61% | 46.94% | 46.77% | |||
PMIA | 70.61% | 74.97% | 71.30% | 72.57% | 71.08% | 72.86% | 71.66% | 72.20% | 72.50% | 73.58% | 73.49% | 71.14% | ||||
TMIA | 70.79% | 70.39% | 71.61% | 70.35% | 71.13% | 72.62% | 73.12% |
表2
攻击III:访学-攻学模式下不同攻击的攻击性能比较"
比较项 | 方法 | Flowers102 | CIFAR100 | PubFig83 | ||||||||
VGG16 | VGG19 | Resnet50 | VGG16 | VGG19 | Resnet50 | VGG16 | VGG19 | Resnet50 | ||||
FMIA | 46 | 43 | 40 | 76 | 73 | 77 | 35 | 31 | 32 | |||
GMIA | 46 | 43 | 40 | 76 | 73 | 77 | 35 | 31 | 32 | |||
异常样本 | PMIA | 29 | 27 | 28 | 58 | 58 | 54 | 23 | 22 | 20 | ||
TMIA | ||||||||||||
FMIA | 52.34% | 53.55% | 53.91% | 41.59% | 44.28% | 42.51% | 43.82% | 45.70% | 46.15% | |||
GMIA | 52.54% | 53.06% | 53.65% | 41.72% | 40.79% | 41.49% | 40.87% | 44.08% | 44.13% | |||
精确率 | PMIA | 94.10% | 94.37% | 94.76% | 92.36% | 91.89% | 92.56% | 92.87% | 93.12% | 90.29% | ||
TMIA | 93.29% | 93.53% | 93.97% | 92.00% | 91.55% | 92.34% | ||||||
FMIA | 51.42% | 52.99% | 52.76% | 42.11% | 50.21% | 53.57% | 48.36% | 45.50% | 45.63% | |||
GMIA | 50.30% | 50.09% | 50.32% | 47.01% | 47.84% | 49.64% | 47.21% | 48.48% | 49.80% | |||
覆盖率 | PMIA | 73.51% | 71.89% | 74.30% | 73.42% | 72.24% | 74.12% | 73.43% | 73.63% | 72.84% | ||
TMIA | 71.15% | 71.50% | 72.36% | 72.97% | 72.95% | 72.12% |
表3
参数敏感性分析"
数据集 | α | 异常样本 | 精确率 | 覆盖率 |
0.1 | 212 | 56.61% | 35.28% | |
Caltech101 | 0.2 | 103 | 77.39% | 59.50% |
0.3 | 57 | 91.66% | 78.03% | |
0.2 | 207 | 58.91% | 37.66% | |
Flowers102 | 0.3 | 125 | 71.30% | 58.62% |
0.4 | 75 | 92.25% | 79.10% | |
0.1 | 243 | 58.89% | 34.72% | |
CIFAR100 | 0.2 | 157 | 76.24% | 55.17% |
0.3 | 68 | 91.22% | 75.97% | |
0.1 | 154 | 57.74% | 35.71% | |
PubFig83 | 0.2 | 80 | 73.15% | 54.74% |
0.3 | 33 | 93.16% | 75.29% |
[1] | 高红民, 曹雪莹, 陈忠昊 ,等. 基于多尺度近端特征拼接网络的高光谱图像分类方法[J]. 通信学报, 2021,42(2): 92-102. |
GAO H M , CAO X Y , CHEN Z H ,et al. Hyperspectral image classification method based on multi-scale proximal feature concatenate network[J]. Journal on Communications, 2021,42(2): 92-102. | |
[2] | 崔颖, 徐凯, 陆忠军 ,等. 主动学习策略融合算法在高光谱图像分类中的应用[J]. 通信学报, 2018,39(4): 91-99. |
CUI Y , XU K , LU Z J ,et al. Combination strategy of active learning for hyperspectral images classification[J]. Journal on Communications, 2018,39(4): 91-99. | |
[3] | KIM I , BAEK W , KIM S . Spatially attentive output layer for image classification[C]// Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 9530-9539. |
[4] | SZEGEDY C , LIU W , JIA Y Q ,et al. Going deeper with convolutions[C]// Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2015: 1-9. |
[5] | WANG T W , ZHU Y Z , JIN L W ,et al. Decoupled attention network for text recognition[C]// The Thirty-Second Innovative Applications of Artificial Intelligence Conference. Palo Alto:AAAI Press, 2020: 12216-12224. |
[6] | YU D L , LI X , ZHANG C Q ,et al. Towards accurate scene text recognition with semantic reasoning networks[C]// Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2020: 12110-12119. |
[7] | GRAVES A , MOHAMED A R , HINTON G . Speech recognition with deep recurrent neural networks[C]// Proceedings of 2013 IEEE International Conference on Acoustics,Speech and Signal Processing. Piscataway:IEEE Press, 2013: 6645-6649. |
[8] | HINTON G , DENG L , YU D ,et al. Deep neural networks for acoustic modeling in speech recognition:the shared views of four research groups[J]. IEEE Signal Processing Magazine, 2012,29(6): 82-97. |
[9] | SEN P , NAMATA G , BILGIC M ,et al. Collective classification in network data[J]. AI Magazine, 2008,29(3): 93-106. |
[10] | LIBEN-NOWELL D , KLEINBERG J . The link-prediction problem for social networks[J]. Journal of the American Society for Information Science and Technology, 2007,58(7): 1019-1031. |
[11] | 张思成, 林云, 涂涯 ,等. 基于轻量级深度神经网络的电磁信号调制识别技术[J]. 通信学报, 2020,41(11): 12-21. |
ZHANG S C , LIN Y , TU Y ,et al. Electromagnetic signal modulation recognition technology based on lightweight deep neural network[J]. Journal on Communications, 2020,41(11): 12-21. | |
[12] | WANG Q , DU P F , YANG J Y ,et al. Transferred deep learning based waveform recognition for cognitive passive radar[J]. Signal Processing, 2019,155: 259-267. |
[13] | SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[C]// Proceedings of 3rd International Conference on Learning Representations.[S.n.:s.l.], 2015: 803-807. |
[14] | HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 770-778. |
[15] | BROWN T B , MANN B , RYDER N ,et al. Language models are few-shot learners[C]// Proceedings of 2020 Advances in Neural Information Processing Systems (NIPS).[S.n.:s.l.], 2020: 6-12. |
[16] | RAFFEL C , SHAZEER N , ROBERTS A ,et al. Exploring the limits of transfer learning with a unified text-to-text transformer[J]. Journal of Machine Learning Research, 2020,21(1): 1-67. |
[17] | OLATUNJI I E , NEJDL W , KHOSLA M . Membership inference attack on graph neural networks[J]. arXiv Preprint,arXiv:2101.06570, 2021. |
[18] | HUI B , YANG Y C , YUAN H L ,et al. Practical blind membership inference attack via differential comparisons[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 21-25. |
[19] | LI J C , LI N H , Ribeiro B . Membership inference attacks and defenses in supervised learning via generalization gap[J]. arXiv Preprint,arXiv:2002.12062, 2020. |
[20] | SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 24-27. |
[21] | SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18. |
[22] | SONG L W , SHOKRI R , MITTAL P . Privacy risks of securing machine learning models against adversarial examples[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 241-257. |
[23] | YEOM S , GIACOMELLI I , FREDRIKSON M ,et al. Privacy risk in machine learning:analyzing the connection to overfitting[C]// Proceedings of 2018 IEEE 31st Computer Security Foundations Symposium (CSF). Piscataway:IEEE Press, 2018: 268-282. |
[24] | NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 739-753. |
[25] | LEINO K , FREDRIKSON M . Stolen memories:leveraging model memorization for calibrated white-box membership inference[C]// Proceedings of 2020 USENIX Security Symposium (USENIX Security 20). Berkeley:USENIX Association, 2020: 1605-1622. |
[26] | LONG Y H , WANG L , BU D Y ,et al. A pragmatic approach to membership inferences on machine learning models[C]// Proceedings of 2020 IEEE European Symposium on Security and Privacy (EuroS&P). Piscataway:IEEE Press, 2020: 521-534. |
[27] | ZOU Y , ZHANG Z K , BACKES M ,et al. Privacy analysis of deep learning in the wild:membership inference attacks against transfer learning[J]. arXiv Preprint,arXiv:2009.04872, 2020. |
[28] | BACKES M , BERRANG P , HUMBERT M ,et al. Membership privacy in MicroRNA-based studies[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 319-330. |
[29] | HAGESTEDT I , ZHANG Y , HUMBERT M ,et al. MBeacon:privacy-preserving beacons for DNA methylation data[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 21-27. |
[30] | PYRGELIS A , TRONCOSO C , DE CRISTOFARO E . Knock knock,who's there? membership inference on aggregate location data[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 35-42. |
[31] | CHEN J C , RANJAN R , KUMAR A ,et al. An end-to-end system for unconstrained face verification with deep convolutional neural networks[C]// Proceedings of 2015 IEEE International Conference on Computer Vision Workshop (ICCVW). Piscataway:IEEE Press, 2015: 360-368. |
[32] | REN S Q , HE K M , GIRSHICK R ,et al. Faster R-CNN:towards real-time object detection with region proposal networks[C]// Proceedings of IEEE Transactions on Pattern Analysis and Machine Intelligence. Piscataway:IEEE Press, 2015: 1137-1149. |
[33] | REDMON J , DIVVALA S , GIRSHICK R ,et al. You only look once:unified,real-time object detection[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 779-788. |
[34] | CAELLES S , MANINIS K K , PONT-TUSET J ,et al. One-shot video object segmentation[C]// Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2017: 5320-5329. |
[35] | KUNZE J , KIRSCH L , KURENKOV I ,et al. Transfer learning for speech recognition on a budget[C]// Proceedings of the 2nd Workshop on Representation Learning for NLP. Stroudsburg:Association for Computational Linguistics, 2017: 168-177. |
[36] | WANG D , ZHENG T F . Transfer learning for speech and language processing[C]// Proceedings of 2015 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA). Piscataway:IEEE Press, 2015: 1225-1237. |
[37] | HEIGOLD G , VANHOUCKE V , SENIOR A ,et al. Multilingual acoustic models using distributed deep neural networks[C]// Proceedings of 2013 IEEE International Conference on Acoustics,Speech and Signal Processing. Piscataway:IEEE Press, 2013: 8619-8623. |
[38] | CIRE?AN D C , MEIER U , SCHMIDHUBER J . Transfer learning for Latin and Chinese characters with deep neural networks[C]// Proceedings of 2012 International Joint Conference on Neural Networks (IJCNN). Piscataway:IEEE Press, 2012: 1-6. |
[39] | JOHNSON M , SCHUSTER M , LE Q V ,et al. Google's multilingual neural machine translation system:enabling zero-shot translation[J]. Transactions of the Association for Computational Linguistics, 2017,5: 339-351. |
[40] | MIKOLOV T , LE Q V , SUTSKEVER I . Exploiting similarities among languages for machine translation[J]. Computer Science, 2014,17(4): 45-52. |
[41] | WANG B , YAO U , CHICAGO U O ,et al. With great training comes great vulnerability:practical attacks against transfer learning[C]// Proceedings of 2018 USENIX Security Symposium (USENIX Security). Berkeley:USENIX Association, 2018: 1281-1297. |
[42] | SCHUSTER R , SCHUSTER T , MERI Y ,et al. Humpty dumpty:controlling word meanings via corpus poisoning[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2020: 1295-1313. |
[43] | LI F F , FERGUS R , PERONA P . Learning generative visual models from few training examples:an incremental Bayesian approach tested on 101 object categories[J]. Computer Vision and Image Understanding, 2007,106(1): 59-70. |
[44] | KRIZHEVSKY A , HINTON G . Learning multiple layers of features from tiny images[J]. Handbook of Systemic Autoimmune Diseases, 2009,1(4): 130-138. |
[45] | NILSBACK M E , ZISSERMAN A . Automated flower classification over a large number of classes[C]// Proceedings of 2008 Sixth Indian Conference on Computer Vision,Graphics & Image Processing. Piscataway:IEEE Press, 2008: 722-729. |
[46] | PINTO N , STONE Z , ZICKLER T ,et al. Scaling up biologically-inspired computer vision:a case study in unconstrained face recognition on facebook[C]// Proceedings of CVPR 2011 WORKSHOPS. Piscataway:IEEE Press, 2011: 35-42. |
[47] | SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition[J]. Computer Science, 2014,8(2): 475-483. |
[48] | HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 770-778. |
[49] | SZEGEDY C , VANHOUCKE V , IOFFE S ,et al. Rethinking the inception architecture for computer vision[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 2818-2826. |
[1] | 陈东昱, 陈华, 范丽敏, 付一方, 王舰. 基于深度学习的随机性检验策略研究[J]. 通信学报, 2023, 44(6): 23-33. |
[2] | 李荣鹏, 汪丙炎, 张宏纲, 赵志峰. 知识增强的语义通信接收端设计[J]. 通信学报, 2023, 44(6): 70-76. |
[3] | 马帅, 裴科, 祁华艳, 李航, 曹雯, 王洪梅, 熊海良, 李世银. 基于生成模型的地磁室内高精度定位算法研究[J]. 通信学报, 2023, 44(6): 211-222. |
[4] | 张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205. |
[5] | 杨洁, 董标, 付雪, 王禹, 桂冠. 基于轻量化分布式学习的自动调制分类方法[J]. 通信学报, 2022, 43(7): 134-142. |
[6] | 杨秀璋, 彭国军, 李子川, 吕杨琦, 刘思德, 李晨光. 基于Bert和BiLSTM-CRF的APT攻击实体识别及对齐研究[J]. 通信学报, 2022, 43(6): 58-70. |
[7] | 廖勇, 王世义. 高速移动环境下基于RM-Net的大规模MIMO CSI反馈算法[J]. 通信学报, 2022, 43(5): 166-176. |
[8] | 廖育荣, 王海宁, 林存宝, 李阳, 方宇强, 倪淑燕. 基于深度学习的光学遥感图像目标检测研究进展[J]. 通信学报, 2022, 43(5): 190-203. |
[9] | 赵增华, 童跃凡, 崔佳洋. 基于域自适应的Wi-Fi指纹设备无关室内定位模型[J]. 通信学报, 2022, 43(4): 143-153. |
[10] | 廖勇, 程港, 李玉杰. 基于深度展开的大规模MIMO系统CSI反馈算法[J]. 通信学报, 2022, 43(12): 77-88. |
[11] | 段雪源, 付钰, 王坤, 李彬. 基于简单统计特征的LDoS攻击检测方法[J]. 通信学报, 2022, 43(11): 53-64. |
[12] | 霍俊彦, 邱瑞鹏, 马彦卓, 杨付正. 基于最邻近帧质量增强的视频编码参考帧列表优化算法[J]. 通信学报, 2022, 43(11): 136-147. |
[13] | 康海燕, 冀源蕊. 基于本地化差分隐私的联邦学习方法研究[J]. 通信学报, 2022, 43(10): 94-105. |
[14] | 彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160. |
[15] | 张红霞, 王琪, 王登岳, 王奔. 基于深度学习的区块链蜜罐陷阱合约检测[J]. 通信学报, 2022, 43(1): 194-202. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|