基于GAN的联邦学习成员推理攻击与防御方法

doi:10.11959/j.issn.1000-436x.2023094

Abstract

Abstract:

Aiming at the problem that the federated learning system was extremely vulnerable to membership inference attacks initiated by malicious parties in the prediction stage, and the existing defense methods were difficult to achieve a balance between privacy protection and model loss.Membership inference attacks and their defense methods were explored in the context of federated learning.Firstly, two membership inference attack methods called class-level attack and user-level attack based on generative adversarial network (GAN) were proposed, where the former was aimed at leaking the training data privacy of all participants, while the latter could specify a specific participant.In addition, a membership inference defense method in federated learning based on adversarial sample (DefMIA) was further proposed, which could effectively defend against membership inference attacks by designing adversarial sample noise addition methods for global model parameters while ensuring the accuracy of federated learning.The experimental results show that class-level and user-level membership inference attack can achieve over 90% attack accuracy in federated learning, while after using the DefMIA method, their attack accuracy is significantly reduced, approaching random guessing (50%).

Key words: federated learning, membership inference attack, generative adversarial network, adversarial example, privacy leakage

CLC Number:

TP391

Jiale ZHANG, Chengcheng ZHU, Xiaobing SUN, Bing CHEN. Membership inference attack and defense method in federated learning based on GAN[J]. Journal on Communications, 2023, 44(5): 193-205.

Figures/Tables 12

References 36

[10]	CHEN J L , ZHANG J L , ZHAO Y C ,et al. Beyond model-level membership privacy leakage:an adversarial approach in federated learning[C]// Proceedings of 2020 29th International Conference on Computer Communications and Networks (ICCCN). Piscataway:IEEE Press, 2020: 1-9.
[11]	HAYES J , MELIS L , DANEZIS G ,et al. LOGAN:membership inference attacks against generative models[C]// Proceedings of Privacy Enhancing Technologies Symposium. Berlin:Springer, 2019: 133-152.
[12]	NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 739-753.
[13]	GOODFELLOW I , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial networks[J]. Communications of the ACM, 2020,63(11): 139-144.
[14]	QU Y Y , YU S , ZHANG J W ,et al. GAN-DP:generative adversarial net driven differentially privacy-preserving big data publishing[C]// Proceedings of 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-6.
[15]	JONSSON K V , KREITZ G , UDDIN M . Secure multi-party sorting and applications[J]. IACR Cryptology ePrint Archive, 2011:doi.eprint.iacr.org/2011/122.
[16]	AONO Y , HAYASHI T , WANG L ,et al. Privacy-preserving deep learning via additively homomorphic encryption[J]. IEEE Transactions on Information Forensics and Security, 2017,13(5): 1333-1345.
[17]	ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 308-318.
[18]	JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending against black-box membership inference attacks via adversarial examples[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 259-274.
[19]	ZHOU Y H , YE Q , LV J C . Communication-efficient federated learning with compensated overlap-FedAvg[J]. IEEE Transactions on Parallel and Distributed Systems, 2022,33(1): 192-205.
[20]	FREDRIKSON M , JHA S , RISTENPART T . Model inversion attacks that exploit confidence information and basic countermeasures[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2015: 1322-1333.
[21]	TOLPEGIN V , TRUEX S , GURSOY M E ,et al. Data poisoning attacks against federated learning systems[C]// European Symposium on Research in Computer Security. Berlin:Springer, 2020: 480-501.
[22]	ZHANG J L , CHEN J J , WU D ,et al. Poisoning attack in federated learning using generative adversarial nets[C]// Proceedings of 2019 18th IEEE International Conference on Trust,Security and Privacy In Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). Piscataway:IEEE Press, 2019: 374-380.
[23]	MOTHUKURI V , PARIZI R M , POURIYEH S ,et al. A survey on security and privacy of federated learning[J]. Future Generation Computer Systems, 2021,115: 619-640.
[24]	PROUDFOOT D . Anthropomorphism and AI:Turing’s much misunderstood imitation game[J]. Artificial Intelligence, 2011,175(5-6): 950-957.
[25]	ZHANG J L , CHEN B , CHENG X ,et al. PoisonGAN:generative poisoning attacks against federated learning in edge computing systems[J]. IEEE Internet of Things Journal, 2021,8(5): 3310-3322.
[26]	BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[C]// International Conference on Artificial Intelligence and Statistics. New York:PMLR, 2020: 2938-2948.
[27]	XU G W , LI H W , LIU S ,et al. VerifyNet:secure and verifiable federated learning[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 911-926.
[1]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[J]. arXiv Preprint,arXiv:1602.05629, 2016.
[2]	LI T , SAHU A K , TALWALKAR A ,et al. Federated learning:challenges,methods,and future directions[J]. IEEE Signal Processing Magazine, 2020,37(3): 50-60.
[28]	LU Y L , HUANG X H , DAI Y Y ,et al. Blockchain and federated learning for privacy-preserved data sharing in industrial IoT[J]. IEEE Transactions on Industrial Informatics, 2020,16(6): 4177-4186.
[29]	SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[3]	YANG Q , LIU Y , CHEN T J ,et al. Federated machine learning[J]. ACM Transactions on Intelligent Systems and Technology, 2019,10(2): 1-19.
[4]	SATTLER F , WIEDEMANN S , MüLLER K R , ,et al. Robust and communication-efficient federated learning from non-i.i.d.data[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,31(9): 3400-3413.
[30]	ZHANG J W , ZHANG J L , CHEN J J ,et al. GAN enhanced membership inference:a passive local attack in federated learning[C]// Proceedings of 2020 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2020: 1-6.
[31]	HITAJ B , ATENIESE G , PEREZ-CRUZ F . Deep models under the GAN:information leakage from collaborative deep learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 603-618.
[5]	TRUEX S , LIU L , GURSOY M E ,et al. Demystifying membership inference attacks in machine learning as a service[J]. IEEE Transactions on Services Computing, 2021,14(6): 2073-2089.
[6]	WANG Z B , SONG M K , ZHANG Z F ,et al. Beyond inferring class representatives:user-level privacy leakage from federated learning[C]// Proceedings of IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2019: 2512-2520.
[32]	NGUYEN A , YOSINSKI J , CLUNE J . Deep neural networks are easily fooled:high confidence predictions for unrecognizable images[C]// Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2015: 427-436.
[33]	DENG L . The MNIST database of handwritten digit images for machine learning research[best of the Web][J]. IEEE Signal Processing Magazine, 2012,29(6): 141-142.
[7]	MELIS L , SONG C Z , CRISTOFARO E D ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 691-706.
[8]	ZHU L , LIU Z , HAN S . Deep leakage from gradients[J]. arXiv Preprint,arXiv:1906.08935, 2019.
[34]	XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv Preprint,arXiv:1708.07747, 2017.
[35]	HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 770-778.
[9]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18.
[36]	WU D , QI S Y , QI Y ,et al. Understanding and defending against White-box membership inference attack in deep learning[J]. Knowledge-Based Systems, 2023,259:110014.

Metrics

Recommended 0

No Suggested Reading articles found!

数据集	攻击精度	召回率	F1分数
MNIST	0.976	0.884	0.94
F-MNIST	0.955	0.872	0.92
CIFAR-10	0.901	0.854	0.87

数据集	文献[9]攻击精度	文献[12]攻击精度	类级MIA精度	主任务准确率
MNIST	0.904	0.847	0.976	0.963
FMNIST	0.873	0.826	0.955	0.925
CIFAR-10	0.866	0.822	0.901	0.897

类别	MNIST		F-MNIST		CIFAR-10
类别	Before	DefMIA	Before	DefMIA	Before	DefMIA
0	0.903	0.501	0.942	0.512	0.876	0.483
1	0.961	0.506	0.922	0.502	0.889	0.491
2	0.953	0.551	0.925	0.524	0.879	0.507
3	0.977	0.575	0.921	0.504	0.874	0.498
4	0.977	0.597	0.953	0.533	0.901	0.503
5	0.896	0.546	0.932	0.517	0.877	0.488
6	0.923	0.549	0.897	0.503	0.894	0.502
7	0.924	0.535	0.933	0.513	0.886	0.514
8	0.923	0.529	0.967	0.539	0.882	0.489
9	0.921	0.535	0.929	0.507	0.906	0.504

攻击	文献[18]	文献[36]	DefMIA
CNN-based MIA	0.657	0.527	0.517
White-box MIA	0.698	0.556	0.586
GAN-enhanced MIA	0.753	0.684	0.594

Membership inference attack and defense method in federated learning based on GAN

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 36

Related Articles 15

Metrics

Recommended 0

[1]	Xindi MA, Qinghua LI, Qi JIANG, Zhuo MA, Sheng GAO, Youliang TIAN, Jianfeng MA. Byzantine-robust federated learning over Non-IID data [J]. Journal on Communications, 2023, 44(6): 138-153.
[2]	Youliang TIAN, Shihong WU, Ta LI, Lindong WANG, Hua ZHOU. Federated learning optimization algorithm based on incentive mechanism [J]. Journal on Communications, 2023, 44(5): 169-180.
[3]	Kaiju LI, Qiang XU, Hao WANG. Communication-efficient federated learning method via redundant data elimination [J]. Journal on Communications, 2023, 44(5): 79-93.
[4]	Shengxing YU, Zekai CHEN, Zhong CHEN, Ximeng LIU. DAGUARD: distributed backdoor attack defense scheme under federated learning [J]. Journal on Communications, 2023, 44(5): 110-122.
[5]	Hui JIANG, Tianliu HE, Min LIU, Sheng SUN, Yuwei WANG. High-performance federated continual learning algorithm for heterogeneous streaming data [J]. Journal on Communications, 2023, 44(5): 123-136.
[6]	Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136.
[7]	Shengxing YU, Zhong CHEN. Efficient secure federated learning aggregation framework based on homomorphic encryption [J]. Journal on Communications, 2023, 44(1): 14-28.
[8]	Lingtao TANG, Di WANG, Shengyun LIU. Data augmentation scheme for federated learning with non-IID data [J]. Journal on Communications, 2023, 44(1): 164-176.
[9]	Yanhua LIU, Jiaqi LI, Zhengui OU, Xiaoling GAO, Ximeng LIU, Weizhi MENG, Baoxu LIU. Adversarial training driven malicious code detection enhancement method [J]. Journal on Communications, 2022, 43(9): 169-180.
[10]	Yanwen WANG, Weimin LEI, Wei ZHANG, Huan MENG, Xinyi CHEN, Wenhui YE, Qingyang JING. Survey on video image reconstruction method based on generative model [J]. Journal on Communications, 2022, 43(9): 194-208.
[11]	Shaoshuai FAN, Jianbo WU, Hui TIAN. Federated learning resource management for energy-constrained industrial IoT devices [J]. Journal on Communications, 2022, 43(8): 65-77.
[12]	Zijia MO, Zhipeng GAO, Yang YANG, Yijing LIN, Shan SUN, Chen ZHAO. Efficient distributed model sharing strategy for data privacy protection in Internet of vehicles [J]. Journal on Communications, 2022, 43(4): 83-94.
[13]	Xueyuan DUAN, Yu FU, Kun WANG. Multi-dimensional time series anomaly detection method based on VAE-WGAN [J]. Journal on Communications, 2022, 43(3): 1-13.
[14]	Xiayu XIANG, Jiahui WANG, Zirui WANG, Shaoming DUAN, Hezhong PAN, Rongfei ZHUANG, Peiyi HAN, Chuanyi LIU. Generate medical synthetic data based on generative adversarial network [J]. Journal on Communications, 2022, 43(3): 211-224.
[15]	Haiyan KANG, Yuanrui JI. Research on federated learning approach based on local differential privacy [J]. Journal on Communications, 2022, 43(10): 94-105.