Membership Inference Attacks against Machine Learning Models

Shokri, Reza; Stronati, Marco; Song, Congzheng; Shmatikov, Vitaly

doi:10.48550/arxiv.1610.05820

Cited by 23 publications

(55 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As such, it is hard to provide guarantees that participation in a dataset does not harm the privacy of an individual. Potential risks are adversaries performing membership test (to know whether an individual is in a dataset or not) [36], recovering of partially known inputs (use the model to complete an input vector with the most likely missing bits), and extraction of the training data using the model's predictions [35].…”

Section: Adversarial Goalsmentioning

confidence: 99%

SoK: Security and Privacy in Machine Learning

Papernot

McDaniel

Sinha

et al. 2018

2018 IEEE European Symposium on Security and Privacy (EuroS&P)

538

471

View full text Add to dashboard Cite

Advances in machine learning (ML) in recent years have enabled a dizzying array of applications such as data analytics, autonomous systems, and security diagnostics. ML is now pervasive-new systems and models are being deployed in every domain imaginable, leading to rapid and widespread deployment of software based inference and decision making. There is growing recognition that ML exposes new vulnerabilities in software systems, yet the technical community's understanding of the nature and extent of these vulnerabilities remains limited. We systematize recent findings on ML security and privacy, focusing on attacks identified on these systems and defenses crafted to date. We articulate a comprehensive threat model for ML, and categorize attacks and defenses within an adversarial framework. Key insights resulting from works both in the ML and security communities are identified and the effectiveness of approaches are related to structural elements of ML algorithms and the data used to train them. We conclude by formally exploring the opposing relationship between model accuracy and resilience to adversarial manipulation. Through these explorations, we show that there are (possibly unavoidable) tensions between model complexity, accuracy, and resilience that must be calibrated for the environments in which they will be used.

show abstract

Section: Adversarial Goalsmentioning

confidence: 99%

SoK: Security and Privacy in Machine Learning

Papernot

McDaniel

Sinha

et al. 2018

2018 IEEE European Symposium on Security and Privacy (EuroS&P)

538

471

View full text Add to dashboard Cite

show abstract

“…We found that there is a trade-off between the quality of the generated samples and the privacy guarantees of the generative model. When using the discriminator for attacks, the success rates are similar to those found for classifiers [16], [18], [19]. Yet, with proper training setup, the model can be robust against membership inference attacks, which provides a strong guarantee against other attacks, like attribute inference.…”

Section: Summary and Concluding Remarksmentioning

confidence: 62%

“…These attacks can identify members of the training set of an ML algorithm and use side information provided by the algorithm to determine arXiv:2012.04475v1 [eess.SP] 6 Dec 2020 properties of the identified client. Thorough analysis of these attacks is available in [16], [18], [19]. However, little research has been done on the privacy leakage of generative models.…”

Section: A Related Workmentioning

confidence: 99%

“…White-box Membership Inference Attacks: In [16], [18], an attack using an inference model is proposed which requires a dedicated training set. However, this may not be realistic and even unnecessary in some scenarios.…”

Section: B Our Contributionmentioning

confidence: 99%

“…Black-box Membership Inference Attacks: All blackbox attacks we have seen in the literature, including those proposed in [11], [16], [18], [19], are based on training a surrogate model that can be used to perform a white-box version of the attack. In general, this yields degraded results in comparison to the white-box attack.…”

Section: B Our Contributionmentioning

confidence: 99%

See 2 more Smart Citations

Privacy-Preserving Synthetic Smart Meters Data

Grosso

Pichler

Piantanida

2021

2021 IEEE Power &Amp; Energy Society Innovative Smart Grid Technologies Conference (ISGT)

View full text Add to dashboard Cite

Power consumption data is very useful as it allows to optimize power grids, detect anomalies and prevent failures, on top of being useful for diverse research purposes. However, the use of power consumption data raises significant privacy concerns, as this data usually belongs to clients of a power company. As a solution, we propose a method to generate synthetic power consumption samples that faithfully imitate the originals, but are detached from the clients and their identities. Our method is based on Generative Adversarial Networks (GANs). Our contribution is twofold. First, we focus on the quality of the generated data, which is not a trivial task as no standard evaluation methods are available. Then, we study the privacy guarantees provided to members of the training set of our neural network. As a minimum requirement for privacy, we demand our neural network to be robust to membership inference attacks, as these provide a gateway for further attacks in addition to presenting a privacy threat on their own. We find that there is a compromise to be made between the privacy and the performance provided by the algorithm.

show abstract

PowerGAN: A Machine Learning Approach for Power Side‐Channel Attack on Compute‐in‐Memory Accelerators

Wang,

Wu,

Park

et al. 2023

Advanced Intelligent Systems

View full text Add to dashboard Cite

Analog compute‐in‐memory (CIM) systems are promising candidates for deep neural network (DNN) inference acceleration. However, as the use of DNNs expands, protecting user input privacy has become increasingly important. Herein, a potential security vulnerability is identified wherein an adversary can reconstruct the user's private input data from a power side‐channel attack even without knowledge of the stored DNN model. An attack approach using a generative adversarial network is developed to achieve high‐quality data reconstruction from power leakage measurements. The analyses show that the attack methodology is effective in reconstructing user input data from power leakage of the analog CIM accelerator, even at large noise levels and after countermeasures. To demonstrate the efficacy of the proposed approach, an example of CIM inference of U‐Net for brain tumor detection is attacked, and the original magnetic resonance imaging medical images can be successfully reconstructed even at a noise level of 20% standard deviation of the maximum power signal value. This study highlights a potential security vulnerability in emerging analog CIM accelerators and raises awareness of needed safety features to protect user privacy in such systems.

show abstract

Membership Inference Attacks against Machine Learning Models

Cited by 23 publications

References 0 publications

SoK: Security and Privacy in Machine Learning

SoK: Security and Privacy in Machine Learning

Privacy-Preserving Synthetic Smart Meters Data

PowerGAN: A Machine Learning Approach for Power Side‐Channel Attack on Compute‐in‐Memory Accelerators

Contact Info

Product

Resources

About