Milad Nasr scite author profile

Deep neural networks are susceptible to various inference attacks as they remember information about their training data. We design white-box inference attacks to perform a comprehensive privacy analysis of deep learning models. We measure the privacy leakage through parameters of fully trained models as well as the parameter updates of models during training. We design inference algorithms for both centralized and federated learning, with respect to passive and active inference attackers, and assuming different adversary prior knowledge.We evaluate our novel white-box membership inference attacks against deep learning algorithms to trace their training data records. We show that a straightforward extension of the known black-box attacks to the white-box setting (through analyzing the outputs of activation functions) is ineffective. We therefore design new algorithms tailored to the white-box setting by exploiting the privacy vulnerabilities of the stochastic gradient descent algorithm, which is the algorithm used to train deep neural networks. We investigate the reasons why deep learning models may leak information about their training data. We then show that even well-generalized models are significantly susceptible to white-box membership inference attacks, by analyzing stateof-the-art pre-trained and publicly available models for the CIFAR dataset. We also show how adversarial participants, in the federated learning setting, can successfully run active membership inference attacks against other participants, even when the global model achieves high prediction accuracies.

show abstract

Machine Learning with Membership Privacy using Adversarial Regularization

Nasr

2018

View full text Add to dashboard Cite

show abstract

Membership Inference Attacks From First Principles

et al. 2022

View full text Add to dashboard Cite

We introduce the first model-stealing attack that extracts precise, nontrivial information from black-box production language models like Ope-nAI's ChatGPT or Google's PaLM-2. Specifically, our attack recovers the embedding projection layer (up to symmetries) of a transformer model, given typical API access. For under $20 USD, our attack extracts the entire projection matrix of OpenAI's ada and babbage language models. We thereby confirm, for the first time, that these black-box models have a hidden dimension of 1024 and 2048, respectively. We also recover the exact hidden dimension size of the gpt-3.5-turbo model, and estimate it would cost under $2,000 in queries to recover the entire projection matrix. We conclude with potential defenses and mitigations, and discuss the implications of possible future work that could extend our attack.

show abstract

Extracting Training Data from Diffusion Models

Carlini¹,

Hayes²,

Nasr³

et al. 2023

Preprint

View full text Add to dashboard Cite

Image diffusion models such as DALL-E 2, Imagen, and Stable Diffusion have attracted significant attention due to their ability to generate high-quality synthetic images. In this work, we show that diffusion models memorize individual images from their training data and emit them at generation time. With a generate-and-filter pipeline, we extract over a thousand training examples from stateof-the-art models, ranging from photographs of individual people to trademarked company logos. We also train hundreds of diffusion models in various settings to analyze how different modeling and data decisions affect privacy. Overall, our results show that diffusion models are much less private than prior generative models such as GANs, and that mitigating these vulnerabilities may require new advances in privacy-preserving training.

show abstract

Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning

Nasr

Songi

Thakurta

et al. 2021

View full text Add to dashboard Cite

DeepCorr

Nasr

Bahramali

Houmansadr

2018

View full text Add to dashboard Cite

Flow correlation is the core technique used in a multitude of deanonymization attacks on Tor. Despite the importance of ow correlation attacks on Tor, existing ow correlation techniques are considered to be ine ective and unreliable in linking Tor ows when applied at a large scale, i.e., they impose high rates of false positive error rates or require impractically long ow observations to be able to make reliable correlations. In this paper, we show that, unfortunately, ow correlation attacks can be conducted on Tor tra c with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called DeepCorr, that outperforms the state-of-the-art by signicant margins in correlating Tor connections. DeepCorr leverages an advanced deep learning architecture to learn a ow correlation function tailored to Tor's complex network-this is in contrast to previous works' use of generic statistical correlation metrics to correlate Tor ows. We show that with moderate learning, DeepCorr can correlate Tor connections (and therefore break its anonymity) with accuracies signi cantly higher than existing algorithms, and using substantially shorter lengths of ow observations. For instance, by collecting only about 900 packets of each target Tor ow (roughly 900KB of Tor data), DeepCorr provides a ow correlation accuracy of 96% compared to 4% by the state-of-the-art system of RAPTOR using the same exact setting.We hope that our work demonstrates the escalating threat of ow correlation attacks on Tor given recent advances in learning algorithms, calling for the timely deployment of e ective countermeasures by the Tor community.

show abstract

Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning

Nasr¹,

Song²,

Thakurta³

et al. 2021

Preprint

View full text Add to dashboard Cite

Machine Learning with Differentially Private Labels: Mechanisms and Frameworks

Tang

Nasr

Mahloujifar

et al. 2022

PoPETs

View full text Add to dashboard Cite

Label differential privacy is a relaxation of differential privacy for machine learning scenarios where the labels are the only sensitive information that needs to be protected in the training data. For example, imagine a survey from a participant in a university class about their vaccination status. Some attributes of the students are publicly available but their vaccination status is sensitive information and must remain private. Now if we want to train a model that predicts whether a student has received vaccination using only their public information, we can use label-DP. Recent works on label-DP use different ways of adding noise to the labels in order to obtain label-DP models. In this work, we present novel techniques for training models with label-DP guarantees by leveraging unsupervised learning and semi-supervised learning, enabling us to inject less noise while obtaining the same privacy, therefore achieving a better utility-privacy trade-off. We first introduce a framework that starts with an unsupervised classifier f0 and dataset D with noisy label set Y , reduces the noise in Y using f0 , and then trains a new model f using the less noisy dataset. Our noise reduction strategy uses the model f0 to remove the noisy labels that are incorrect with high probability. Then we use semi-supervised learning to train a model using the remaining labels. We instantiate this framework with multiple ways of obtaining the noisy labels and also the base classifier. As an alternative way to reduce the noise, we explore the effect of using unsupervised learning: we only add noise to a majority voting step for associating the learned clusters with a cluster label (as opposed to adding noise to individual labels); the reduced sensitivity enables us to add less noise. Our experiments show that these techniques can significantly outperform the prior works on label-DP.

show abstract

12 3

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Milad Nasr

Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning

Machine Learning with Membership Privacy using Adversarial Regularization

Membership Inference Attacks From First Principles

Extracting Training Data from Diffusion Models

Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning

DeepCorr

Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning

Machine Learning with Differentially Private Labels: Mechanisms and Frameworks

Contact Info

Product

Resources

About