基于GAN的联邦学习成员推理攻击与防御方法

doi:10.11959/j.issn.1000-436x.2023094

通信学报 ›› 2023, Vol. 44 ›› Issue (5): 193-205.doi: 10.11959/j.issn.1000-436x.2023094

基于GAN的联邦学习成员推理攻击与防御方法

张佳乐¹^,², 朱诚诚¹^,², 孙小兵¹^,², 陈兵³

¹ 扬州大学信息工程学院，江苏扬州 225127
² 江苏省知识管理与智能服务工程研究中心，江苏扬州 225127
³ 南京航空航天大学计算机科学与技术学院，江苏南京 211106

修回日期:2023-03-06 出版日期:2023-05-25 发布日期:2023-05-01
作者简介:张佳乐（1994- ），男，安徽蚌埠人，博士，扬州大学讲师、硕士生导师，主要研究方向为人工智能安全、联邦学习、数据隐私保护等
朱诚诚（2000- ），男，安徽临泉人，扬州大学硕士生，主要研究方向为联邦学习安全与隐私保护
孙小兵（1985- ），男，江苏姜堰人，博士，扬州大学教授、博士生导师，主要研究方向为软件安全、人工智能安全、区块链安全等
陈兵（1970- ），男，江苏南通人，博士，南京航空航天大学教授、博士生导师，主要研究方向为无线网络、人工智能安全、网络空间安全、智能无人系统等
基金资助:
国家自然科学基金资助项目(62206238);江苏省自然科学基金资助项目(BK20220562);江苏省高等学校基础科学（自然科学）研究基金资助项目(22KJB520010);扬州市科技计划项目-市校合作专项基金资助项目(YZ2021157);扬州市科技计划项目-市校合作专项基金资助项目(YZ2021158)

Membership inference attack and defense method in federated learning based on GAN

Jiale ZHANG¹^,², Chengcheng ZHU¹^,², Xiaobing SUN¹^,², Bing CHEN³

¹ School of Information Engineering, Yangzhou University, Yangzhou 225127, China
² Jiangsu Engineering Research Center Knowledge Management and Intelligent Service, Yangzhou 225127, China
³ College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China

Revised:2023-03-06 Online:2023-05-25 Published:2023-05-01
Supported by:
The National Natural Science Foundation of China(62206238);The Natural Science Foundation of Jiangsu Province(BK20220562);The Natural Science Foundation of Jiangsu Higher Education Institutions of China(22KJB520010);The Yangzhou City-Yangzhou University Science and Technology Cooperation Fund Project(YZ2021157);The Yangzhou City-Yangzhou University Science and Technology Cooperation Fund Project(YZ2021158)

摘要/Abstract

摘要：

针对联邦学习系统极易遭受由恶意参与方在预测阶段发起的成员推理攻击行为，以及现有的防御方法在隐私保护和模型损失之间难以达到平衡的问题，探索了联邦学习中的成员推理攻击及其防御方法。首先提出2种基于生成对抗网络（GAN）的成员推理攻击方法：类级和用户级成员推理攻击，其中，类级成员推理攻击旨在泄露所有参与方的训练数据隐私，用户级成员推理攻击可以指定某一个特定的参与方；此外，进一步提出一种基于对抗样本的联邦学习成员推理防御方法（DefMIA），通过设计针对全局模型参数的对抗样本噪声添加方法，能够在保证联邦学习准确率的同时，有效防御成员推理攻击。实验结果表明，类级和用户级成员推理攻击可以在联邦学习中获得超过90%的攻击精度，而在使用DefMIA方法后，其攻击精度明显降低，接近于随机猜测（50%）。

关键词: 联邦学习, 成员推理攻击, 生成对抗网络, 对抗样本, 隐私泄露

Abstract:

Aiming at the problem that the federated learning system was extremely vulnerable to membership inference attacks initiated by malicious parties in the prediction stage, and the existing defense methods were difficult to achieve a balance between privacy protection and model loss.Membership inference attacks and their defense methods were explored in the context of federated learning.Firstly, two membership inference attack methods called class-level attack and user-level attack based on generative adversarial network (GAN) were proposed, where the former was aimed at leaking the training data privacy of all participants, while the latter could specify a specific participant.In addition, a membership inference defense method in federated learning based on adversarial sample (DefMIA) was further proposed, which could effectively defend against membership inference attacks by designing adversarial sample noise addition methods for global model parameters while ensuring the accuracy of federated learning.The experimental results show that class-level and user-level membership inference attack can achieve over 90% attack accuracy in federated learning, while after using the DefMIA method, their attack accuracy is significantly reduced, approaching random guessing (50%).

Key words: federated learning, membership inference attack, generative adversarial network, adversarial example, privacy leakage

中图分类号:

TP391

张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205.

Jiale ZHANG, Chengcheng ZHU, Xiaobing SUN, Bing CHEN. Membership inference attack and defense method in federated learning based on GAN[J]. Journal on Communications, 2023, 44(5): 193-205.

图/表 12

图1

图2

图3

图4

图5

表1

图6

表2

图7

表3

图8

表4

参考文献 36

[10]	CHEN J L , ZHANG J L , ZHAO Y C ,et al. Beyond model-level membership privacy leakage:an adversarial approach in federated learning[C]// Proceedings of 2020 29th International Conference on Computer Communications and Networks (ICCCN). Piscataway:IEEE Press, 2020: 1-9.
[11]	HAYES J , MELIS L , DANEZIS G ,et al. LOGAN:membership inference attacks against generative models[C]// Proceedings of Privacy Enhancing Technologies Symposium. Berlin:Springer, 2019: 133-152.
[12]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 739-753.
[13]	GOODFELLOW I , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial networks[J]. Communications of the ACM, 2020,63(11): 139-144.
[14]	QU Y Y , YU S , ZHANG J W ,et al. GAN-DP:generative adversarial net driven differentially privacy-preserving big data publishing[C]// Proceedings of 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-6.
[15]	JONSSON K V , KREITZ G , UDDIN M . Secure multi-party sorting and applications[J]. IACR Cryptology ePrint Archive, 2011:doi.eprint.iacr.org/2011/122.
[16]	AONO Y , HAYASHI T , WANG L ,et al. Privacy-preserving deep learning via additively homomorphic encryption[J]. IEEE Transactions on Information Forensics and Security, 2017,13(5): 1333-1345.
[17]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 308-318.
[18]	JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending against black-box membership inference attacks via adversarial examples[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 259-274.
[19]	ZHOU Y H , YE Q , LV J C . Communication-efficient federated learning with compensated overlap-FedAvg[J]. IEEE Transactions on Parallel and Distributed Systems, 2022,33(1): 192-205.
[20]	FREDRIKSON M , JHA S , RISTENPART T . Model inversion attacks that exploit confidence information and basic countermeasures[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2015: 1322-1333.
[21]	TOLPEGIN V , TRUEX S , GURSOY M E ,et al. Data poisoning attacks against federated learning systems[C]// European Symposium on Research in Computer Security. Berlin:Springer, 2020: 480-501.
[22]	ZHANG J L , CHEN J J , WU D ,et al. Poisoning attack in federated learning using generative adversarial nets[C]// Proceedings of 2019 18th IEEE International Conference on Trust,Security and Privacy In Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). Piscataway:IEEE Press, 2019: 374-380.
[23]	MOTHUKURI V , PARIZI R M , POURIYEH S ,et al. A survey on security and privacy of federated learning[J]. Future Generation Computer Systems, 2021,115: 619-640.
[24]	PROUDFOOT D . Anthropomorphism and AI:Turing’s much misunderstood imitation game[J]. Artificial Intelligence, 2011,175(5-6): 950-957.
[25]	ZHANG J L , CHEN B , CHENG X ,et al. PoisonGAN:generative poisoning attacks against federated learning in edge computing systems[J]. IEEE Internet of Things Journal, 2021,8(5): 3310-3322.
[26]	BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[C]// International Conference on Artificial Intelligence and Statistics. New York:PMLR, 2020: 2938-2948.
[27]	XU G W , LI H W , LIU S ,et al. VerifyNet:secure and verifiable federated learning[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 911-926.
[1]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[J]. arXiv Preprint,arXiv:1602.05629, 2016.
[2]	LI T , SAHU A K , TALWALKAR A ,et al. Federated learning:challenges,methods,and future directions[J]. IEEE Signal Processing Magazine, 2020,37(3): 50-60.
[28]	LU Y L , HUANG X H , DAI Y Y ,et al. Blockchain and federated learning for privacy-preserved data sharing in industrial IoT[J]. IEEE Transactions on Industrial Informatics, 2020,16(6): 4177-4186.
[29]	SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[3]	YANG Q , LIU Y , CHEN T J ,et al. Federated machine learning[J]. ACM Transactions on Intelligent Systems and Technology, 2019,10(2): 1-19.
[4]	SATTLER F , WIEDEMANN S , MüLLER K R , ,et al. Robust and communication-efficient federated learning from non-i.i.d.data[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,31(9): 3400-3413.
[30]	ZHANG J W , ZHANG J L , CHEN J J ,et al. GAN enhanced membership inference:a passive local attack in federated learning[C]// Proceedings of 2020 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2020: 1-6.
[31]	HITAJ B , ATENIESE G , PEREZ-CRUZ F . Deep models under the GAN:information leakage from collaborative deep learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 603-618.
[5]	TRUEX S , LIU L , GURSOY M E ,et al. Demystifying membership inference attacks in machine learning as a service[J]. IEEE Transactions on Services Computing, 2021,14(6): 2073-2089.
[6]	WANG Z B , SONG M K , ZHANG Z F ,et al. Beyond inferring class representatives:user-level privacy leakage from federated learning[C]// Proceedings of IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2019: 2512-2520.
[32]	NGUYEN A , YOSINSKI J , CLUNE J . Deep neural networks are easily fooled:high confidence predictions for unrecognizable images[C]// Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2015: 427-436.
[33]	DENG L . The MNIST database of handwritten digit images for machine learning research[best of the Web][J]. IEEE Signal Processing Magazine, 2012,29(6): 141-142.
[7]	MELIS L , SONG C Z , CRISTOFARO E D ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 691-706.
[8]	ZHU L , LIU Z , HAN S . Deep leakage from gradients[J]. arXiv Preprint,arXiv:1906.08935, 2019.
[34]	XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv Preprint,arXiv:1708.07747, 2017.
[35]	HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 770-778.
[9]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18.
[36]	WU D , QI S Y , QI Y ,et al. Understanding and defending against White-box membership inference attack in deep learning[J]. Knowledge-Based Systems, 2023,259:110014.

数据集	攻击精度	召回率	F1分数
MNIST	0.976	0.884	0.94
F-MNIST	0.955	0.872	0.92
CIFAR-10	0.901	0.854	0.87

数据集	文献[9]攻击精度	文献[12]攻击精度	类级MIA精度	主任务准确率
MNIST	0.904	0.847	0.976	0.963
FMNIST	0.873	0.826	0.955	0.925
CIFAR-10	0.866	0.822	0.901	0.897

类别	MNIST		F-MNIST		CIFAR-10
类别	Before	DefMIA	Before	DefMIA	Before	DefMIA
0	0.903	0.501	0.942	0.512	0.876	0.483
1	0.961	0.506	0.922	0.502	0.889	0.491
2	0.953	0.551	0.925	0.524	0.879	0.507
3	0.977	0.575	0.921	0.504	0.874	0.498
4	0.977	0.597	0.953	0.533	0.901	0.503
5	0.896	0.546	0.932	0.517	0.877	0.488
6	0.923	0.549	0.897	0.503	0.894	0.502
7	0.924	0.535	0.933	0.513	0.886	0.514
8	0.923	0.529	0.967	0.539	0.882	0.489
9	0.921	0.535	0.929	0.507	0.906	0.504

攻击	文献[18]	文献[36]	DefMIA
CNN-based MIA	0.657	0.527	0.517
White-box MIA	0.698	0.556	0.586
GAN-enhanced MIA	0.753	0.684	0.594

基于GAN的联邦学习成员推理攻击与防御方法

Membership inference attack and defense method in federated learning based on GAN

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 36

相关文章 15

Metrics

推荐阅读 0

[1]	马鑫迪, 李清华, 姜奇, 马卓, 高胜, 田有亮, 马建峰. 面向Non-IID数据的拜占庭鲁棒联邦学习[J]. 通信学报, 2023, 44(6): 138-153.
[2]	金彪, 李逸康, 姚志强, 陈瑜霖, 熊金波. GenFedRL：面向深度强化学习智能体的通用联邦强化学习框架[J]. 通信学报, 2023, 44(6): 183-197.
[3]	李开菊, 许强, 王豪. 冗余数据去除的联邦学习高效通信方法[J]. 通信学报, 2023, 44(5): 79-93.
[4]	余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD：联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122.
[5]	姜慧, 何天流, 刘敏, 孙胜, 王煜炜. 面向异构流式数据的高性能联邦持续学习算法[J]. 通信学报, 2023, 44(5): 123-136.
[6]	田有亮, 吴柿红, 李沓, 王林冬, 周骅. 基于激励机制的联邦学习优化算法[J]. 通信学报, 2023, 44(5): 169-180.
[7]	苏新, 张桂福, 行鸿彦, Zenghui Wang. 基于平衡生成对抗网络的海洋气象传感网入侵检测研究[J]. 通信学报, 2023, 44(4): 124-136.
[8]	余晟兴, 陈钟. 基于同态加密的高效安全联邦学习聚合框架[J]. 通信学报, 2023, 44(1): 14-28.
[9]	汤凌韬, 王迪, 刘盛云. 面向非独立同分布数据的联邦学习数据增强方案[J]. 通信学报, 2023, 44(1): 164-176.
[10]	刘延华, 李嘉琪, 欧振贵, 高晓玲, 刘西蒙, MENG Weizhi, 刘宝旭. 对抗训练驱动的恶意代码检测增强方法[J]. 通信学报, 2022, 43(9): 169-180.
[11]	袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193.
[12]	王延文, 雷为民, 张伟, 孟欢, 陈新怡, 叶文慧, 景庆阳. 基于生成模型的视频图像重建方法综述[J]. 通信学报, 2022, 43(9): 194-208.
[13]	范绍帅, 吴剑波, 田辉. 面向能量受限工业物联网设备的联邦学习资源管理[J]. 通信学报, 2022, 43(8): 65-77.
[14]	李昂, 陈建新, 魏昕, 周亮. 面向6G的跨模态信号重建技术[J]. 通信学报, 2022, 43(6): 28-40.
[15]	莫梓嘉, 高志鹏, 杨杨, 林怡静, 孙山, 赵晨. 面向车联网数据隐私保护的高效分布式模型共享策略[J]. 通信学报, 2022, 43(4): 83-94.