通信学报 ›› 2022, Vol. 43 ›› Issue (1): 149-160.doi: 10.11959/j.issn.1000-436x.2022009
彭长根1,2,3, 高婷1,2, 刘惠篮1, 丁红发3,4
修回日期:
2022-01-05
出版日期:
2022-01-25
发布日期:
2022-01-01
作者简介:
彭长根(1963- ),男,贵州锦屏人,博士,贵州大学教授,主要研究方向为隐私保护、密码学和大数据安全等基金资助:
Changgen PENG1,2,3, Ting GAO1,2, Huilan LIU1, Hongfa DING3,4
Revised:
2022-01-05
Online:
2022-01-25
Published:
2022-01-01
Supported by:
摘要:
针对目前黑盒成员推理攻击存在的访问受限失效问题,提出基于主成分分析(PCA)的成员推理攻击。首先,针对黑盒成员推理攻击存在的访问受限问题,提出一种快速决策成员推理攻击fast-attack。在基于距离符号梯度获取扰动样本的基础上将扰动难度映射到距离范畴来进行成员推理。其次,针对快速决策成员推理攻击存在的低迁移率问题,提出一种基于PCA的成员推理攻击PCA-based attack。将快速决策成员推理攻击中的基于扰动算法与PCA技术相结合来实现成员推理,以抑制因过度依赖模型而导致的低迁移行为。实验表明,fast-attack在确保攻击精度的同时降低了访问成本,PCA-based attack在无监督的设置下优于基线攻击,且模型迁移率相比fast-attack提升10%。
中图分类号:
彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160.
Changgen PENG, Ting GAO, Huilan LIU, Hongfa DING. PCA-based membership inference attack for machine learning models[J]. Journal on Communications, 2022, 43(1): 149-160.
表3
不同算法在MNIST数据集的迁移率"
AUC | 攻击 | 50 000 | 5 000 | 500 |
boundary-attack | 81.63% | 51.53% | 18.30% | |
0.65 | fast-attack | 70.78% | 50.02% | 12.92% |
PCA-based attack | 64.86% | 42.78% | 21.04% | |
boundary-attack | 17.74% | 3.56% | 2.00% | |
0.70 | fast-attack | 28.51% | 6.14% | 1.69% |
PCA-based attack | 47.20% | 21.12% | 8.72% | |
boundary-attack | 2.55% | — | — | |
0.75 | fast-attack | 24.58% | 4.53% | 1.01% |
PCA-based attack | 37.49% | 14.79% | 4.41% |
表6
不同攻击在CIFAR10数据集的迁移率"
AUC | 攻击 | 50 000 | 5 000 | 500 |
boundary-attack | 93.63% | 89.53% | 52.30% | |
0.65 | fast-attack | 90.78% | 70.02% | 42.92% |
PCA-based attack | 77.86% | 60.78% | 53.04% | |
boundary-attack | 87.74% | 73.56% | 37.11% | |
0.70 | fast-attack | 86.51% | 65.14% | 31.69% |
PCA-based attack | 62.86% | 43.12% | 37.72% | |
boundary-attack | 70.55% | 45.4% | 19.22% | |
0.75 | fast-attack | 71.58% | 46.47% | 17.01% |
PCA-based attack | 42.49% | 24.22% | 20.95% |
表7
不同攻击在ImageNet数据集和GTSRB数据集的迁移率"
AUC | 攻击 | ImageNet | GTSRB |
boundary-attack | 99.4% | 58.53% | |
0.65 | fast-attack | 84.1% | 53.02% |
PCA-based attack | 82.6% | 58.78% | |
boundary-attack | 97.0% | 43.56% | |
0.70 | fast-attack | 74.4% | 36.14% |
PCA-based attack | 74.0% | 42.12% | |
boundary-attack | 90.5% | 22.7% | |
0.75 | fast-attack | 59.9% | 21.8% |
PCA-based attack | 56.3% | 25.89% |
[1] | GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[C]// Proceedings of the 3rd International Conference on Learning Representations.[S.l.:s.n.], 2015: 33-47. |
[2] | MU?OZ-GONZáLEZ L , BIGGIO B , DEMONTIS A ,et al. Towards poisoning of deep learning algorithms with back-gradient optimization[C]// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2017: 27-38. |
[3] | SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 3-18. |
[4] | SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Virginia:Internet Society, 2019: 243-160. |
[5] | AL-RUBAIE M , CHANG J M . Privacy-preserving machine learning:threats and solutions[J]. IEEE Security & Privacy, 2019,17(2): 49-58. |
[6] | MELIS L , SONG C Z , DE CRISTOFARO E ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 691-706. |
[7] | PYRGELIS A , TRONCOSO C , DE CRISTOFARO E . Knock knock,who’s there? membership inference on aggregate location data[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Virginia:Internet Society, 2018: 199-213. |
[8] | YEOM S , GIACOMELLI I , FREDRIKSON M ,et al. Privacy risk in machine learning:analyzing the connection to overfitting[C]// Proceedings of 2018 IEEE 31st Computer Security Foundations Symposium. Piscataway:IEEE Press, 2018: 268-282. |
[9] | CHOO C A C , TRAMER F , CARLINI N ,et al. Label-only membership inference attacks[J]. arXiv Preprint,arXiv:2007.14321, 2020. |
[10] | LI Z , ZHANG Y . Membership leakage in label-only exposures[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 880-895. |
[11] | JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending against black-box membership inference attacks via adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 259-274. |
[12] | NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 739-753. |
[13] | HAYES J , MELIS L , DANEZIS G ,et al. LOGAN:membership inference attacks against generative models[J]. arXiv Preprint,arXiv:1705.07663, 2017. |
[14] | LEINO K , FREDRIKSON M . Stolen memories:leveraging model memorization for calibrated white-box membership inference[C]// Proceedings of the 29th USENIX Security Symposium. Berkeley:USENIX Association, 2020: 1605-1622. |
[15] | LONG Y H , BINDSCHAEDLER V , WANG L ,et al. Understanding membership inferences on well-generalized learning models[J]. arXiv Preprint,arXiv:1802.04889, 2018. |
[16] | KHALID F , ALI H , ABDULLAH H M ,et al. FaDec:a fast decision-based attack for adversarial machine learning[C]// Proceedings of 2020 International Joint Conference on Neural Networks (IJCNN). Piscataway:IEEE Press, 2020: 1-8. |
[17] | OREKONDY T , SCHIELE B , FRITZ M . Knockoff nets:stealing functionality of black-box models[C]// Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2019: 4949-4958. |
[18] | SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv Preprint,arXiv:1312.6199, 2013. |
[19] | BRENDEL W , RAUBER J , BETHGE M . Decision-based adversarial attacks:reliable attacks against black-box machine learning models[J]. arXiv Preprint,arXiv:1712.04248, 2017. |
[20] | CHEN J B , JORDAN M I , WAINWRIGHT M J . HopSkipJumpAttack:a query-efficient decision-based attack[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1277-1294. |
[21] | RIFAI S , DAUPHIN Y N , VINCENT P ,et al. The manifold tangent classifier[J]. Advances in Neural Information Processing Systems, 2011,24(8): 2294-2302. |
[22] | ZHANG Y G , TIAN X M , LI Y ,et al. Principal component adversarial example[J]. IEEE Transactions on Image Processing, 2020,29: 4804-4815. |
[23] | KINGMA D , BA J . Adam:a method for stochastic optimization[J]. arXiv Preprint,arXiv:1412.6980, 2014. |
[24] | RIBEIRO M T , SINGH S , GUESTRIN C . “Why should I trust You? ”:explaining the predictions of any classifier[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2016: 1135-1144. |
[25] | CHEN D F , YU N , ZHANG Y ,et al. GAN-leaks:a taxonomy of membership inference attacks against generative models[C]// Proceedings of 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 343-362. |
[26] | KURAKIN A , GOODFELLOW I J , BENGIO S . Adversarial machine learning at scale[J]. arXiv Preprint,arXiv:1611.01236, 2016. |
[27] | SIMARD P , VICTORRI B , LE CUN Y ,et al. Tangent prop:a formalism for specifying selected invariances in an adaptive network[C]// Proceedings of the 4th International Conference on Neural Information Processing Systems. New York:ACM Press, 1991: 895-903. |
[28] | BENGIO Y , COURVILLE A , VINCENT P . Representation learning:a review and new perspectives[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2013,35(8): 1798-1828. |
[29] | CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 39-57. |
[30] | HUI B , YANG Y C , YUAN H L ,et al. Practical blind membership inference attack via differential comparisons[J]. arXiv Preprint,arXiv:2101.01341, 2021. |
[31] | LI J C , LI N H , RIBEIRO B . Membership inference attacks and defenses in supervised learning via generalization gap[J]. arXiv Preprint,arXiv:2002.12062, 2020. |
[32] | SRIVASTAVA N , HINTON G E , KRIZHEVSKY A ,et al. Dropout:a simple way to prevent neural networks from overfitting[J]. Journal of Machine Learning Research, 2014,15(1): 1929-1958. |
[33] | SONG L W , SHOKRI R , MITTAL P . Privacy risks of securing machine learning models against adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 241-257. |
[34] | ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 308-318. |
[35] | IYENGAR R , NEAR J P , SONG D ,et al. Towards practical differentially private convex optimization[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 299-316. |
[36] | RAHIMIAN S , OREKONDY T , FRITZ M . Differential privacy defenses and sampling attacks for membership inference[C]// Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2021:193. |
[37] | NASR M , SHOKRI R , HOUMANSADR A . Machine learning with membership privacy using adversarial regularization[C]// Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 634-646. |
[1] | 张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205. |
[2] | 戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80. |
[3] | 袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193. |
[4] | 冯晓伟, 许剑锋, 何川. 动态广义主成分分析及其在故障子空间建模中的应用[J]. 通信学报, 2022, 43(5): 92-101. |
[5] | 何高峰, 魏千峰, 肖咸财, 朱海婷, 徐丙凤. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022, 43(2): 156-170. |
[6] | 冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54. |
[7] | 陆彦辉, 柳寒, 李航, 朱光旭. 基于多鉴别器生成对抗网络的时间序列生成模型[J]. 通信学报, 2022, 43(10): 167-176. |
[8] | 梅锴, 赵海涛, 刘潇然, 刘军, 熊俊, 任保全, 魏急波. 高效的基于数据与模型的信道估计算法[J]. 通信学报, 2022, 43(1): 59-70. |
[9] | 李方伟, 鲁佳文, 王明月. 多径环境下联合时间反演和PCA降维的阵列幅相误差校正[J]. 通信学报, 2021, 42(8): 111-119. |
[10] | 邹福泰, 谭越, 王林, 蒋永康. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106. |
[11] | 刘留, 张建华, 樊圆圆, 于力, 张嘉驰. 机器学习在信道建模中的应用综述[J]. 通信学报, 2021, 42(2): 134-153. |
[12] | 陈晋音, 上官文昌, 张京京, 郑海斌, 郑雅羽, 张旭鸿. 面向正常拟合迁移学习模型的成员推理攻击[J]. 通信学报, 2021, 42(10): 197-210. |
[13] | 胡永进,郭渊博,马骏,张晗,毛秀青. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9): 59-70. |
[14] | 伏玉笋,杨根科. 人工智能在移动通信中的应用:挑战与实践[J]. 通信学报, 2020, 41(9): 190-201. |
[15] | 陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|