面向机器学习模型的基于PCA的成员推理攻击

doi:10.11959/j.issn.1000-436x.2022009

Abstract

Abstract:

Aiming at the problem of restricted access failure in current black box membership inference attacks, a PCA-based membership inference attack was proposed.Firstly, in order to solve the restricted access problem of black box membership inference attacks, a fast decision membership inference attack named fast-attack was proposed.Based on the perturbation samples obtained by the distance symbol gradient, the perturbation difficulty was mapped to the distance category for membership inference.Secondly, in view of the low mobility problem of fast-attack, a PCA-based membership inference attack was proposed.Combining the algorithmic ideas based on the perturbation category in the fast-attack and the PCA technology to suppress the low-migration behavior caused by excessive reliance on the model.Finally, experiments show that fast-attack reduces the access cost while ensuring the accuracy of the attack.PCA-based attack is superior to the baseline attack under the unsupervised setting, and the migration rate of model is increased by 10% compared to fast-attack.

Key words: machine learning, adversarial example, membership inference attack, principal component analysis, privacy leakage

CLC Number:

TP309.7

Changgen PENG, Ting GAO, Huilan LIU, Hongfa DING. PCA-based membership inference attack for machine learning models[J]. Journal on Communications, 2022, 43(1): 149-160.

Figures/Tables 15

符号	定义	符号	定义
f	目标模型	Ω	先验知识
h	推断模型	$A$	成员推理
H	流形模型	c	样本标签
x	目标数据	L	损失函数
x^*	映射数据	n	扰动像素点数目
x_adv	对抗样本	g	映射方向
η	扰动步长	${S^{'}}_{adv}$	相交区域
τ	判别阈值	φ	单调函数
d(x,x_adv)	扰动难度	$P$	特征向量
S_AR	对抗区域	δ	扰动大小
Q	访问量	δ_max	最大扰动量
Q_max	最大访问量	λ	迭代步长
f₁	分类器1	f₂	分类器2

References 37

[1]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[C]// Proceedings of the 3rd International Conference on Learning Representations.[S.l.:s.n.], 2015: 33-47.
[2]	MU?OZ-GONZáLEZ L , BIGGIO B , DEMONTIS A ,et al. Towards poisoning of deep learning algorithms with back-gradient optimization[C]// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2017: 27-38.
[3]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 3-18.
[4]	SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Virginia:Internet Society, 2019: 243-160.
[5]	AL-RUBAIE M , CHANG J M . Privacy-preserving machine learning:threats and solutions[J]. IEEE Security ＆ Privacy, 2019,17(2): 49-58.
[6]	MELIS L , SONG C Z , DE CRISTOFARO E ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 691-706.
[7]	PYRGELIS A , TRONCOSO C , DE CRISTOFARO E . Knock knock,who’s there? membership inference on aggregate location data[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Virginia:Internet Society, 2018: 199-213.
[8]	YEOM S , GIACOMELLI I , FREDRIKSON M ,et al. Privacy risk in machine learning:analyzing the connection to overfitting[C]// Proceedings of 2018 IEEE 31st Computer Security Foundations Symposium. Piscataway:IEEE Press, 2018: 268-282.
[9]	CHOO C A C , TRAMER F , CARLINI N ,et al. Label-only membership inference attacks[J]. arXiv Preprint,arXiv:2007.14321, 2020.
[10]	LI Z , ZHANG Y . Membership leakage in label-only exposures[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 880-895.
[11]	JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending against black-box membership inference attacks via adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 259-274.
[12]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 739-753.
[13]	HAYES J , MELIS L , DANEZIS G ,et al. LOGAN:membership inference attacks against generative models[J]. arXiv Preprint,arXiv:1705.07663, 2017.
[14]	LEINO K , FREDRIKSON M . Stolen memories:leveraging model memorization for calibrated white-box membership inference[C]// Proceedings of the 29th USENIX Security Symposium. Berkeley:USENIX Association, 2020: 1605-1622.
[15]	LONG Y H , BINDSCHAEDLER V , WANG L ,et al. Understanding membership inferences on well-generalized learning models[J]. arXiv Preprint,arXiv:1802.04889, 2018.
[16]	KHALID F , ALI H , ABDULLAH H M ,et al. FaDec:a fast decision-based attack for adversarial machine learning[C]// Proceedings of 2020 International Joint Conference on Neural Networks (IJCNN). Piscataway:IEEE Press, 2020: 1-8.
[17]	OREKONDY T , SCHIELE B , FRITZ M . Knockoff nets:stealing functionality of black-box models[C]// Proceedings of 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2019: 4949-4958.
[18]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv Preprint,arXiv:1312.6199, 2013.
[19]	BRENDEL W , RAUBER J , BETHGE M . Decision-based adversarial attacks:reliable attacks against black-box machine learning models[J]. arXiv Preprint,arXiv:1712.04248, 2017.
[20]	CHEN J B , JORDAN M I , WAINWRIGHT M J . HopSkipJumpAttack:a query-efficient decision-based attack[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1277-1294.
[21]	RIFAI S , DAUPHIN Y N , VINCENT P ,et al. The manifold tangent classifier[J]. Advances in Neural Information Processing Systems, 2011,24(8): 2294-2302.
[22]	ZHANG Y G , TIAN X M , LI Y ,et al. Principal component adversarial example[J]. IEEE Transactions on Image Processing, 2020,29: 4804-4815.
[23]	KINGMA D , BA J . Adam:a method for stochastic optimization[J]. arXiv Preprint,arXiv:1412.6980, 2014.
[24]	RIBEIRO M T , SINGH S , GUESTRIN C . “Why should I trust You? ”:explaining the predictions of any classifier[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2016: 1135-1144.
[25]	CHEN D F , YU N , ZHANG Y ,et al. GAN-leaks:a taxonomy of membership inference attacks against generative models[C]// Proceedings of 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 343-362.
[26]	KURAKIN A , GOODFELLOW I J , BENGIO S . Adversarial machine learning at scale[J]. arXiv Preprint,arXiv:1611.01236, 2016.
[27]	SIMARD P , VICTORRI B , LE CUN Y ,et al. Tangent prop:a formalism for specifying selected invariances in an adaptive network[C]// Proceedings of the 4th International Conference on Neural Information Processing Systems. New York:ACM Press, 1991: 895-903.
[28]	BENGIO Y , COURVILLE A , VINCENT P . Representation learning:a review and new perspectives[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2013,35(8): 1798-1828.
[29]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 39-57.
[30]	HUI B , YANG Y C , YUAN H L ,et al. Practical blind membership inference attack via differential comparisons[J]. arXiv Preprint,arXiv:2101.01341, 2021.
[31]	LI J C , LI N H , RIBEIRO B . Membership inference attacks and defenses in supervised learning via generalization gap[J]. arXiv Preprint,arXiv:2002.12062, 2020.
[32]	SRIVASTAVA N , HINTON G E , KRIZHEVSKY A ,et al. Dropout:a simple way to prevent neural networks from overfitting[J]. Journal of Machine Learning Research, 2014,15(1): 1929-1958.
[33]	SONG L W , SHOKRI R , MITTAL P . Privacy risks of securing machine learning models against adversarial examples[C]// Proceedings of 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 241-257.
[34]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 308-318.
[35]	IYENGAR R , NEAR J P , SONG D ,et al. Towards practical differentially private convex optimization[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 299-316.
[36]	RAHIMIAN S , OREKONDY T , FRITZ M . Differential privacy defenses and sampling attacks for membership inference[C]// Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security. New York:ACM Press, 2021:193.
[37]	NASR M , SHOKRI R , HOUMANSADR A . Machine learning with membership privacy using adversarial regularization[C]// Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 634-646.

Metrics

Recommended 0

No Suggested Reading articles found!

数据集	baselineattack	scorebased attack	boundaryattack	fastattack	PCAbased attack
CIFAR10	0.602	0.707	0.713	0.709	0.687
CIFAR100	0.886	0.921	0.944	0.943	0.923
GTSRB	0.587	0.687	0.724	0.726	0.709

AUC	攻击	50 000	5 000	500
	boundary-attack	81.63%	51.53%	18.30%
0.65	fast-attack	70.78%	50.02%	12.92%
	PCA-based attack	64.86%	42.78%	21.04%
	boundary-attack	17.74%	3.56%	2.00%
0.70	fast-attack	28.51%	6.14%	1.69%
	PCA-based attack	47.20%	21.12%	8.72%
	boundary-attack	2.55%	—	—
0.75	fast-attack	24.58%	4.53%	1.01%
	PCA-based attack	37.49%	14.79%	4.41%

推断类别	攻击	影子模型	机器学习算法	目标模型结构	目标数据分布	置信得分	预测标签	AUC
基于置信度	score-based attack	√或—	√或—	√或—	√或—	√	—	0.707
	baseline-attack	—	—	—	√	—	√	0.602
基于决策	boundary-attack	—	—	—	√或—	—	√	0.713
	fast-attack	—	—	—	—	—	√	0.709
无目标决策	PCA-based attack	—	—	—	√	—	—	0.687

攻击	L1正则化	L2正则化	数据增强	差分隐私	MemGuard	Adversarial regularization
baseline-attack	↓	↓	↓	↓	—	—
score-based attack	↓	↓	↓	↓	↓	↓
boundary-attack	↓	↓	—	↓	—	—
fast-attack	↓	↓	—	↓	—	—
PCA-based attack	—	—	↓	↓	—	—

AUC	攻击	50 000	5 000	500
	boundary-attack	93.63%	89.53%	52.30%
0.65	fast-attack	90.78%	70.02%	42.92%
	PCA-based attack	77.86%	60.78%	53.04%
	boundary-attack	87.74%	73.56%	37.11%
0.70	fast-attack	86.51%	65.14%	31.69%
	PCA-based attack	62.86%	43.12%	37.72%
	boundary-attack	70.55%	45.4%	19.22%
0.75	fast-attack	71.58%	46.47%	17.01%
	PCA-based attack	42.49%	24.22%	20.95%

PCA-based membership inference attack for machine learning models

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 37

Related Articles 15

Metrics

Recommended 0

AUC	攻击	ImageNet	GTSRB
	boundary-attack	99.4%	58.53%
0.65	fast-attack	84.1%	53.02%
	PCA-based attack	82.6%	58.78%
	boundary-attack	97.0%	43.56%
0.70	fast-attack	74.4%	36.14%
	PCA-based attack	74.0%	42.12%
	boundary-attack	90.5%	22.7%
0.75	fast-attack	59.9%	21.8%
	PCA-based attack	56.3%	25.89%

[1]	Jiale ZHANG, Chengcheng ZHU, Xiaobing SUN, Bing CHEN. Membership inference attack and defense method in federated learning based on GAN [J]. Journal on Communications, 2023, 44(5): 193-205.
[2]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[3]	Xiaofeng FENG, Jianfeng XU, Chuan HE. Dynamic generalized principal component analysis with applications to fault subspace modeling [J]. Journal on Communications, 2022, 43(5): 92-101.
[4]	Gaofeng HE, Qianfeng WEI, Xiancai XIAO, Haiting ZHU, Bingfeng XU. Confirmation method for the detection of malicious encrypted traffic with data privacy protection [J]. Journal on Communications, 2022, 43(2): 156-170.
[5]	Zhibin FENG, Yuhua XU, Zhiyong DU, Xin LIU, Wen LI, Hao HAN, Xiaobo ZHANG. Active defense technology against intelligent jammer [J]. Journal on Communications, 2022, 43(10): 42-54.
[6]	Yanhui LU, Han LIU, Hang LI, Guangxu ZHU. Time series generation model based on multi-discriminator generative adversarial network [J]. Journal on Communications, 2022, 43(10): 167-176.
[7]	Kai MEI, Haitao ZHAO, Xiaoran LIU, Jun LIU, Jun XIONG, Baoquan REN, Jibo WEI. Efficient model-and-data based channel estimation algorithm [J]. Journal on Communications, 2022, 43(1): 59-70.
[8]	Fangwei LI, Jiawen LU, Mingyue WANG. Gain and phase errors calibration for joint time reversal and PCA dimensionality reduction over multipath environment [J]. Journal on Communications, 2021, 42(8): 111-119.
[9]	Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG. Botnet detection based on generative adversarial network [J]. Journal on Communications, 2021, 42(7): 95-106.
[10]	Liu LIU, Jianhua ZHANG, Yuanyuan FAN, Li YU, Jiachi ZHANG. Survey of application of machine learning in wireless channel modeling [J]. Journal on Communications, 2021, 42(2): 134-153.
[11]	Jinyin CHEN, Wenchang SHANGGUAN, Jingjing ZHANG, Haibin ZHENG, Yayu ZHENG, Xuhong ZHANG. Membership inference attacks against transfer learning for generalized model [J]. Journal on Communications, 2021, 42(10): 197-210.
[12]	Yusun FU,Genke YANG. Application of artificial intelligence in mobile communication:challenge and practice [J]. Journal on Communications, 2020, 41(9): 190-201.
[13]	Tieming CHEN,Chengqiang JIN,Mingqi LYU,Tiantian ZHU. Intelligent detection method on network malicious traffic based on sample enhancement [J]. Journal on Communications, 2020, 41(6): 128-138.
[14]	Chunyu HAN,Yongzheng ZHANG,Yu ZHANG. Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic [J]. Journal on Communications, 2020, 41(5): 37-47.
[15]	Zhu WANG,Kun HE,Xinyu WANG,Ben NIU,Fenghua LI. Traffic characteristic based privacy leakage assessment scheme for Android device [J]. Journal on Communications, 2020, 41(2): 155-164.