TY - JOUR
T1 - Use the Spear as a Shield
T2 - An Adversarial Example Based Privacy-Preserving Technique Against Membership Inference Attacks
AU - Xue, Mingfu
AU - Yuan, Chengxiang
AU - He, Can
AU - Wu, Yinghao
AU - Wu, Zhiyu
AU - Zhang, Yushu
AU - Liu, Zhe
AU - Liu, Weiqiang
N1 - Publisher Copyright:
© 2013 IEEE.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - Recent researches demonstrate that deep learning models are vulnerable to membership inference attacks. Few defenses have been proposed, but suffer from compromising the performance or quality of the target model, or cannot effectively resist membership inference attacks. This paper proposes an adversarial example based privacy-preserving technique (AEPPT), which adds crafted adversarial perturbations to the prediction of the target model to mislead the adversary's membership inference model. The added adversarial perturbations do not affect the accuracy of the target model, while can prevent the adversary from inferring whether a specific data is in the training set of the target model. Since AEPPT only modifies the original output of the target model, the proposed method does not require to modify or retrain the target model. Experimental results show that the proposed method can reduce the inference accuracy and precision of the membership inference model to around 50%, which is close to a random guess. The recall of the membership inference model drops from 88.24% to 6.48% on TinyImageNet dataset, drops from 98.5% to 17.1% on Purchase dataset, drops from 97.70% to 40.30% on ImageNet dataset, and drops from 88.7% to 51.9% on the CIFAR100 dataset, respectively. Besides, the performances of the proposed method under various factors (i.e., perturbation step size, number of adversary's data, proportion of member data and non-member data used to train substitute membership inference model, number of target model's output classes, and different membership inference models) are evaluated, which demonstrate that the proposed method can resist membership inference attacks under different conditions. Moreover, for those adaptive attacks where the adversary knows the defense mechanism, the proposed AEPPT is also demonstrated to be effective. Compared with the state-of-the-art defense methods, the proposed defense can significantly degrade the accuracy and precision of membership inference attacks to 50% (i.e., random guess), while the normal performance and utility of the target model are not affected.
AB - Recent researches demonstrate that deep learning models are vulnerable to membership inference attacks. Few defenses have been proposed, but suffer from compromising the performance or quality of the target model, or cannot effectively resist membership inference attacks. This paper proposes an adversarial example based privacy-preserving technique (AEPPT), which adds crafted adversarial perturbations to the prediction of the target model to mislead the adversary's membership inference model. The added adversarial perturbations do not affect the accuracy of the target model, while can prevent the adversary from inferring whether a specific data is in the training set of the target model. Since AEPPT only modifies the original output of the target model, the proposed method does not require to modify or retrain the target model. Experimental results show that the proposed method can reduce the inference accuracy and precision of the membership inference model to around 50%, which is close to a random guess. The recall of the membership inference model drops from 88.24% to 6.48% on TinyImageNet dataset, drops from 98.5% to 17.1% on Purchase dataset, drops from 97.70% to 40.30% on ImageNet dataset, and drops from 88.7% to 51.9% on the CIFAR100 dataset, respectively. Besides, the performances of the proposed method under various factors (i.e., perturbation step size, number of adversary's data, proportion of member data and non-member data used to train substitute membership inference model, number of target model's output classes, and different membership inference models) are evaluated, which demonstrate that the proposed method can resist membership inference attacks under different conditions. Moreover, for those adaptive attacks where the adversary knows the defense mechanism, the proposed AEPPT is also demonstrated to be effective. Compared with the state-of-the-art defense methods, the proposed defense can significantly degrade the accuracy and precision of membership inference attacks to 50% (i.e., random guess), while the normal performance and utility of the target model are not affected.
KW - Adversarial examples
KW - artificial intelligence security
KW - membership inference attack
KW - privacy-preserving machine learning
UR - https://www.scopus.com/pages/publications/85133683527
U2 - 10.1109/TETC.2022.3184408
DO - 10.1109/TETC.2022.3184408
M3 - 文章
AN - SCOPUS:85133683527
SN - 2168-6750
VL - 11
SP - 153
EP - 169
JO - IEEE Transactions on Emerging Topics in Computing
JF - IEEE Transactions on Emerging Topics in Computing
IS - 1
ER -