面向机器学习模型的基于PCA的成员推理攻击

doi:10.11959/j.issn.1000-436x.2022009

通信学报 ›› 2022, Vol. 43 ›› Issue (1): 149-160.doi: 10.11959/j.issn.1000-436x.2022009

面向机器学习模型的基于PCA的成员推理攻击

彭长根¹^,²^,³, 高婷¹^,², 刘惠篮¹, 丁红发³^,⁴

¹ 贵州大学公共大数据国家重点实验室，贵州贵阳 550025
² 贵州大学密码学与数据安全研究所，贵州贵阳 550025
³ 贵州大学计算机科学与技术学院，贵州贵阳 550025
⁴ 贵州财经大学信息学院，贵州贵阳 550025

修回日期:2022-01-05 出版日期:2022-01-25 发布日期:2022-01-01
作者简介:彭长根（1963- ），男，贵州锦屏人，博士，贵州大学教授，主要研究方向为隐私保护、密码学和大数据安全等
高婷（1995- ），女，江西吉安人，贵州大学硕士生，主要研究方向为隐私保护、成员推理等
刘惠篮（1988- ），女，贵州贵阳人，博士，贵州大学副教授，主要研究方向为复杂数据分析、稳健回归、高维数据建模和统计计算
丁红发（1988- ），男，河南南阳人，博士，贵州大学在站博士后，贵州财经大学副教授，主要研究方向为隐私保护和大数据安全
基金资助:
国家自然科学基金资助项目(U1836205);国家自然科学基金资助项目(62002080);贵州省科技计划基金资助项目([2020]5017);贵州省教育厅自然科学基金资助项目([2021]140);贵州大学人才引进科研基金资助项目([2020]61)

PCA-based membership inference attack for machine learning models

Changgen PENG¹^,²^,³, Ting GAO¹^,², Huilan LIU¹, Hongfa DING³^,⁴

¹ State Key Laboratory of Public Big Data, Guizhou University, Guiyang 550025, China
² Institute of Cryptography and Data Security, Guizhou University, Guiyang 550025, China
³ College of Computer Science and Technology, Guizhou University, Guiyang 550025, China
⁴ College of Information, Guizhou University of Finance and Economics, Guiyang 550025, China

Revised:2022-01-05 Online:2022-01-25 Published:2022-01-01
Supported by:
The National Natural Science Foundation of China(U1836205);The National Natural Science Foundation of China(62002080);The Science and Technology Plan Foundation of Guizhou Province([2020]5017);The Natural Science Foundation of Department of Education of Guizhou Province([2021]140);The Research Project of Guizhou University for Talent Introduction([2020]61)

摘要/Abstract

摘要：

针对目前黑盒成员推理攻击存在的访问受限失效问题，提出基于主成分分析（PCA）的成员推理攻击。首先，针对黑盒成员推理攻击存在的访问受限问题，提出一种快速决策成员推理攻击fast-attack。在基于距离符号梯度获取扰动样本的基础上将扰动难度映射到距离范畴来进行成员推理。其次，针对快速决策成员推理攻击存在的低迁移率问题，提出一种基于PCA的成员推理攻击PCA-based attack。将快速决策成员推理攻击中的基于扰动算法与PCA技术相结合来实现成员推理，以抑制因过度依赖模型而导致的低迁移行为。实验表明，fast-attack在确保攻击精度的同时降低了访问成本，PCA-based attack在无监督的设置下优于基线攻击，且模型迁移率相比fast-attack提升10%。

关键词: 机器学习, 对抗样本, 成员推理攻击, 主成分分析, 隐私泄露

Abstract:

Aiming at the problem of restricted access failure in current black box membership inference attacks, a PCA-based membership inference attack was proposed.Firstly, in order to solve the restricted access problem of black box membership inference attacks, a fast decision membership inference attack named fast-attack was proposed.Based on the perturbation samples obtained by the distance symbol gradient, the perturbation difficulty was mapped to the distance category for membership inference.Secondly, in view of the low mobility problem of fast-attack, a PCA-based membership inference attack was proposed.Combining the algorithmic ideas based on the perturbation category in the fast-attack and the PCA technology to suppress the low-migration behavior caused by excessive reliance on the model.Finally, experiments show that fast-attack reduces the access cost while ensuring the accuracy of the attack.PCA-based attack is superior to the baseline attack under the unsupervised setting, and the migration rate of model is increased by 10% compared to fast-attack.

Key words: machine learning, adversarial example, membership inference attack, principal component analysis, privacy leakage

中图分类号:

TP309.7

彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160.

Changgen PENG, Ting GAO, Huilan LIU, Hongfa DING. PCA-based membership inference attack for machine learning models[J]. Journal on Communications, 2022, 43(1): 149-160.

图/表 15

表1

符号说明"

符号	定义	符号	定义
f	目标模型	Ω	先验知识
h	推断模型	$A$	成员推理
H	流形模型	c	样本标签
x	目标数据	L	损失函数
x^*	映射数据	n	扰动像素点数目
x_adv	对抗样本	g	映射方向
η	扰动步长	${S^{'}}_{adv}$	相交区域
τ	判别阈值	φ	单调函数
d(x,x_adv)	扰动难度	$P$	特征向量
S_AR	对抗区域	δ	扰动大小
Q	访问量	δ_max	最大扰动量
Q_max	最大访问量	λ	迭代步长
f₁	分类器1	f₂	分类器2

表1

图1

图2

图3

图4

图5

表2

图6

表3

图7

表4

表5

图8

表6

表7

参考文献 37

[1]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[C]// Proceedings of the 3rd International Conference on Learning Representations.[S.l.:s.n.], 2015: 33-47.
[2]	MU?OZ-GONZáLEZ L , BIGGIO B , DEMONTIS A ,et al. Towards poisoning of deep learning algorithms with back-gradient optimization[C]// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2017: 27-38.
[3]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 3-18.
[4]	SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Virginia:Internet Society, 2019: 243-160.
[5]	AL-RUBAIE M , CHANG J M . Privacy-preserving machine learning:threats and solutions[J]. IEEE Security ＆ Privacy, 2019,17(2): 49-58.
[6]	MELIS L , SONG C Z , DE CRISTOFARO E ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 691-706.
[7]	PYRGELIS A , TRONCOSO C , DE CRISTOFARO E . Knock knock,who’s there? membership inference on aggregate location data[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Virginia:Internet Society, 2018: 199-213.
[8]	YEOM S , GIACOMELLI I , FREDRIKSON M ,et al. Privacy risk in machine learning:analyzing the connection to overfitting[C]// Proceedings of 2018 IEEE 31st Computer Security Foundations Symposium. Piscataway:IEEE Press, 2018: 268-282.
[9]	CHOO C A C , TRAMER F , CARLINI N ,et al. Label-only membership inference attacks[J]. arXiv Preprint,arXiv:2007.14321, 2020.
[10]	LI Z , ZHANG Y . Membership leakage in label-only exposures[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 880-895.
[11]	JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending against black-box membership inference attacks via adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 259-274.
[12]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 739-753.
[13]	HAYES J , MELIS L , DANEZIS G ,et al. LOGAN:membership inference attacks against generative models[J]. arXiv Preprint,arXiv:1705.07663, 2017.
[14]	LEINO K , FREDRIKSON M . Stolen memories:leveraging model memorization for calibrated white-box membership inference[C]// Proceedings of the 29th USENIX Security Symposium. Berkeley:USENIX Association, 2020: 1605-1622.
[15]	LONG Y H , BINDSCHAEDLER V , WANG L ,et al. Understanding membership inferences on well-generalized learning models[J]. arXiv Preprint,arXiv:1802.04889, 2018.
[16]	KHALID F , ALI H , ABDULLAH H M ,et al. FaDec:a fast decision-based attack for adversarial machine learning[C]// Proceedings of 2020 International Joint Conference on Neural Networks (IJCNN). Piscataway:IEEE Press, 2020: 1-8.
[17]	OREKONDY T , SCHIELE B , FRITZ M . Knockoff nets:stealing functionality of black-box models[C]// Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2019: 4949-4958.
[18]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv Preprint,arXiv:1312.6199, 2013.
[19]	BRENDEL W , RAUBER J , BETHGE M . Decision-based adversarial attacks:reliable attacks against black-box machine learning models[J]. arXiv Preprint,arXiv:1712.04248, 2017.
[20]	CHEN J B , JORDAN M I , WAINWRIGHT M J . HopSkipJumpAttack:a query-efficient decision-based attack[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1277-1294.
[21]	RIFAI S , DAUPHIN Y N , VINCENT P ,et al. The manifold tangent classifier[J]. Advances in Neural Information Processing Systems, 2011,24(8): 2294-2302.
[22]	ZHANG Y G , TIAN X M , LI Y ,et al. Principal component adversarial example[J]. IEEE Transactions on Image Processing, 2020,29: 4804-4815.
[23]	KINGMA D , BA J . Adam:a method for stochastic optimization[J]. arXiv Preprint,arXiv:1412.6980, 2014.
[24]	RIBEIRO M T , SINGH S , GUESTRIN C . “Why should I trust You? ”:explaining the predictions of any classifier[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2016: 1135-1144.
[25]	CHEN D F , YU N , ZHANG Y ,et al. GAN-leaks:a taxonomy of membership inference attacks against generative models[C]// Proceedings of 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 343-362.
[26]	KURAKIN A , GOODFELLOW I J , BENGIO S . Adversarial machine learning at scale[J]. arXiv Preprint,arXiv:1611.01236, 2016.
[27]	SIMARD P , VICTORRI B , LE CUN Y ,et al. Tangent prop:a formalism for specifying selected invariances in an adaptive network[C]// Proceedings of the 4th International Conference on Neural Information Processing Systems. New York:ACM Press, 1991: 895-903.
[28]	BENGIO Y , COURVILLE A , VINCENT P . Representation learning:a review and new perspectives[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2013,35(8): 1798-1828.
[29]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 39-57.
[30]	HUI B , YANG Y C , YUAN H L ,et al. Practical blind membership inference attack via differential comparisons[J]. arXiv Preprint,arXiv:2101.01341, 2021.
[31]	LI J C , LI N H , RIBEIRO B . Membership inference attacks and defenses in supervised learning via generalization gap[J]. arXiv Preprint,arXiv:2002.12062, 2020.
[32]	SRIVASTAVA N , HINTON G E , KRIZHEVSKY A ,et al. Dropout:a simple way to prevent neural networks from overfitting[J]. Journal of Machine Learning Research, 2014,15(1): 1929-1958.
[33]	SONG L W , SHOKRI R , MITTAL P . Privacy risks of securing machine learning models against adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 241-257.
[34]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 308-318.
[35]	IYENGAR R , NEAR J P , SONG D ,et al. Towards practical differentially private convex optimization[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 299-316.
[36]	RAHIMIAN S , OREKONDY T , FRITZ M . Differential privacy defenses and sampling attacks for membership inference[C]// Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2021:193.
[37]	NASR M , SHOKRI R , HOUMANSADR A . Machine learning with membership privacy using adversarial regularization[C]// Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 634-646.

数据集	baselineattack	scorebased attack	boundaryattack	fastattack	PCAbased attack
CIFAR10	0.602	0.707	0.713	0.709	0.687
CIFAR100	0.886	0.921	0.944	0.943	0.923
GTSRB	0.587	0.687	0.724	0.726	0.709

AUC	攻击	50 000	5 000	500
	boundary-attack	81.63%	51.53%	18.30%
0.65	fast-attack	70.78%	50.02%	12.92%
	PCA-based attack	64.86%	42.78%	21.04%
	boundary-attack	17.74%	3.56%	2.00%
0.70	fast-attack	28.51%	6.14%	1.69%
	PCA-based attack	47.20%	21.12%	8.72%
	boundary-attack	2.55%	—	—
0.75	fast-attack	24.58%	4.53%	1.01%
	PCA-based attack	37.49%	14.79%	4.41%

推断类别	攻击	影子模型	机器学习算法	目标模型结构	目标数据分布	置信得分	预测标签	AUC
基于置信度	score-based attack	√或—	√或—	√或—	√或—	√	—	0.707
	baseline-attack	—	—	—	√	—	√	0.602
基于决策	boundary-attack	—	—	—	√或—	—	√	0.713
	fast-attack	—	—	—	—	—	√	0.709
无目标决策	PCA-based attack	—	—	—	√	—	—	0.687

攻击	L1正则化	L2正则化	数据增强	差分隐私	MemGuard	Adversarial regularization
baseline-attack	↓	↓	↓	↓	—	—
score-based attack	↓	↓	↓	↓	↓	↓
boundary-attack	↓	↓	—	↓	—	—
fast-attack	↓	↓	—	↓	—	—
PCA-based attack	—	—	↓	↓	—	—

AUC	攻击	50 000	5 000	500
	boundary-attack	93.63%	89.53%	52.30%
0.65	fast-attack	90.78%	70.02%	42.92%
	PCA-based attack	77.86%	60.78%	53.04%
	boundary-attack	87.74%	73.56%	37.11%
0.70	fast-attack	86.51%	65.14%	31.69%
	PCA-based attack	62.86%	43.12%	37.72%
	boundary-attack	70.55%	45.4%	19.22%
0.75	fast-attack	71.58%	46.47%	17.01%
	PCA-based attack	42.49%	24.22%	20.95%

面向机器学习模型的基于PCA的成员推理攻击

PCA-based membership inference attack for machine learning models

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 37

相关文章 15

Metrics

推荐阅读 0

AUC	攻击	ImageNet	GTSRB
	boundary-attack	99.4%	58.53%
0.65	fast-attack	84.1%	53.02%
	PCA-based attack	82.6%	58.78%
	boundary-attack	97.0%	43.56%
0.70	fast-attack	74.4%	36.14%
	PCA-based attack	74.0%	42.12%
	boundary-attack	90.5%	22.7%
0.75	fast-attack	59.9%	21.8%
	PCA-based attack	56.3%	25.89%

[1]	张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205.
[2]	戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80.
[3]	袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193.
[4]	冯晓伟, 许剑锋, 何川. 动态广义主成分分析及其在故障子空间建模中的应用[J]. 通信学报, 2022, 43(5): 92-101.
[5]	何高峰, 魏千峰, 肖咸财, 朱海婷, 徐丙凤. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022, 43(2): 156-170.
[6]	冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54.
[7]	陆彦辉, 柳寒, 李航, 朱光旭. 基于多鉴别器生成对抗网络的时间序列生成模型[J]. 通信学报, 2022, 43(10): 167-176.
[8]	梅锴, 赵海涛, 刘潇然, 刘军, 熊俊, 任保全, 魏急波. 高效的基于数据与模型的信道估计算法[J]. 通信学报, 2022, 43(1): 59-70.
[9]	李方伟, 鲁佳文, 王明月. 多径环境下联合时间反演和PCA降维的阵列幅相误差校正[J]. 通信学报, 2021, 42(8): 111-119.
[10]	邹福泰, 谭越, 王林, 蒋永康. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106.
[11]	刘留, 张建华, 樊圆圆, 于力, 张嘉驰. 机器学习在信道建模中的应用综述[J]. 通信学报, 2021, 42(2): 134-153.
[12]	陈晋音, 上官文昌, 张京京, 郑海斌, 郑雅羽, 张旭鸿. 面向正常拟合迁移学习模型的成员推理攻击[J]. 通信学报, 2021, 42(10): 197-210.
[13]	胡永进,郭渊博,马骏,张晗,毛秀青. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9): 59-70.
[14]	伏玉笋,杨根科. 人工智能在移动通信中的应用：挑战与实践[J]. 通信学报, 2020, 41(9): 190-201.
[15]	陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138.