Black-box membership inference attacks based on shadow model

doi:10.19682/j.cnki.1005-8885.2024.1016

中国邮电高校学报(英文) ›› 2024, Vol. 31 ›› Issue (4): 1-16.doi: 10.19682/j.cnki.1005-8885.2024.1016

• security • 下一篇

Black-box membership inference attacks based on shadow model

School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China

收稿日期:2022-11-16 修回日期:2023-07-10 出版日期:2024-08-31 发布日期:2024-08-31
通讯作者: Zhou Wen'an E-mail:zhouwa@bupt.edu.cn

Black-box membership inference attacks based on shadow model

School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China

Received:2022-11-16 Revised:2023-07-10 Online:2024-08-31 Published:2024-08-31

摘要/Abstract

摘要： Membership inference attacks on machine learning models have drawn significant attention. While current research primarily utilizes shadow modeling techniques, which require knowledge of the target model and training data, practical scenarios involve black-box access to the target model with no available information. Limited training data further complicate the implementation of these attacks. In this paper, we experimentally compare common data enhancement schemes and propose a data synthesis framework based on the variational autoencoder generative adversarial network (VAE-GAN) to extend the training data for shadow models. Meanwhile, this paper proposes a shadow model training algorithm based on adversarial training to improve the shadow model's ability to mimic the predicted behavior of the target model when the target model's information is unknown. By conducting attack experiments on different models under the black-box access setting, this paper verifies the effectiveness of the VAE-GAN-based data synthesis framework for improving the accuracy of membership inference attack. Furthermore, we verify that the shadow model, trained by using the adversarial training approach, effectively improves the degree of mimicking the predicted behavior of the target model. Compared with existing research methods, the method proposed in this paper achieves a 2% improvement in attack accuracy and delivers better attack performance.

关键词: machine learning, membership inference attack, shadow model, black-box model

Abstract: Membership inference attacks on machine learning models have drawn significant attention. While current research primarily utilizes shadow modeling techniques, which require knowledge of the target model and training data, practical scenarios involve black-box access to the target model with no available information. Limited training data further complicate the implementation of these attacks. In this paper, we experimentally compare common data enhancement schemes and propose a data synthesis framework based on the variational autoencoder generative adversarial network (VAE-GAN) to extend the training data for shadow models. Meanwhile, this paper proposes a shadow model training algorithm based on adversarial training to improve the shadow model's ability to mimic the predicted behavior of the target model when the target model's information is unknown. By conducting attack experiments on different models under the black-box access setting, this paper verifies the effectiveness of the VAE-GAN-based data synthesis framework for improving the accuracy of membership inference attack. Furthermore, we verify that the shadow model, trained by using the adversarial training approach, effectively improves the degree of mimicking the predicted behavior of the target model. Compared with existing research methods, the method proposed in this paper achieves a 2% improvement in attack accuracy and delivers better attack performance.

Key words: machine learning, membership inference attack, shadow model, black-box model

中图分类号:

TP309.2

Han Zhen, Zhou Wen'an, Han Xiaoxuan, Wu Jie. Black-box membership inference attacks based on shadow model[J]. The Journal of China Universities of Posts and Telecommunications, 2024, 31(4): 1-16.

参考文献

1. DEVLIN J, CHANG M W, LEE K, et al. Bert: Pre-training of deep bidirectional transformers for language understanding. Proceedings of the 17th Annual Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT’19), 2019, Jun 2-7, Minneapolis, MN, USA. Stroudsburg, PA, USA: Association for Computational Linguistics, 2019: 4171-4186.

2. OLIINYK V A, VYSOTSKA V, BUROV Y, et al. Propaganda detection in text data based on NLP and machine learning. Proceedings of the 2nd International Workshop on Modern Machine Learning Technologies and Data Science (MoMLeT+DS’20): Vol 1 (Main Conference), 2020, Jun 2-3, Lviv-Shatsk, Ukraine, 2020: 132-144.

3. HÉNAFF O J, SRINIVAS A, DE FAUW J, et al. Data-efficient image recognition with contrastive predictive coding. Proceedings of the 37th International conference on machine learning (ICML’20), 2020, Jul 13-18, Vienna, Austria. PMLR 119. New York, NY, USA: ACM, 2020: 4182-4192.

4. WEYAND T, ARAUJO A, CAO B, et al. Google landmarks dataset v2--A large-scale benchmark for instance-level recognition and retrieval. Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’20), 2020, Jun 13-19, Seattle, WA, USA. Piscataway, NJ, USA: IEEE, 2020: 2575-2584.

5. TAIGMAN Y, YANG M, RANZATO M A, et al. DeepFace: Closing the gap to human-level performance in face verification. Proceedings of the 2014 IEEE Conference Conference on Computer Vision and Pattern Recognition (CVPR’14), 2014, Jun 23-28, Columbus, OH, USA. Piscataway, NJ, USA: IEEE, 2014: 1701-1708.

6. SCHROFF F, KALENICHENKO D, PHILBIN J. FaceNet: A unified embedding for face recognition and clustering. Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition(CVPR’15), 2015, Jun 7-12, Boston, MA, USA. Piscataway, NJ, USA: IEEE, 2015: 815-823.

7. DHIMAN G, JUNEJA S, VIRIYASITAVAT W, et al. A novel machine-learning-based hybrid CNN model for tumor identification in medical image processing. Sustainability, 2022, 14(3): Article 1447.

8. CHEN M, HAO Y X, HWANG K, et al. Disease prediction by machine learning over big data from healthcare communities. IEEE Access, 2017, 5: 8869-8879

9. LEO M, SHARMA S, MADDULETY K. Machine learning in banking risk management: A literature review. Risks, 2019, 7(1): Article 29.

10. YURTSEVER E, LAMBERT J, CARBALLO A, et al. A survey of autonomous driving: Common practices and emerging technologies. IEEE Access, 2020, 8: 58443-58469.

11. CARLINI N, LIU C, ERLINGSSON Ú, et al. The secret sharer: Evaluating and testing unintended memorization in neural networks. Proceedings of the 28th USENIX Security Symposium (SEC'19). 2019, Aug 14-16, Santa Clara, CA, USA. Berkeley, CA, USA: USENIX Association, 2019: 267-284.

12. SONG C Z, RISTENPART T, SHMATIKOV V. Machine learning models that remember too much. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17), 2017, Oct 30-Nov 3, Dallas, TX, USA. New York, NY, USA: ACM, 2017: 587-601.

13. ZHANG C Y, BENGIO S, HARDT M, et al. Understanding deep learning (still) requires rethinking generalization. Communications of the ACM, 2021, 64(3): 107-115.

14. SHOKRI R, STRONATI M, SONG C Z, et al. Membership inference attacks against machine learning models. Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP’17), 2017, May 22-26, San Jose, CA, USA. Piscataway, NJ, USA: IEEE, 2017: 3-18.

15. SALEM A, ZHANG Y, HUMBERT M, et al. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv Preprint, arXiv:1806.01246, 2018.

16. YU D, ZHANG H S, CHEN W, et al. How does data augmentation affect privacy in machine learning? Proceedings of the 35th AAAI Conference on Artificial Intelligence, The 33rd Conference on Innovative Applications of Artificial Intelligence, The 11th Symposium on Educational Advances in Artificial Intelligence (AAAI’21/IAAI’21/EAAI’21), 2021, Feb 2-9, Vancouver, Canada. Palo Alto, CA, USA: AAAI Press, 2021: 10746-10753

17. TRAMÈR F, ZHANG F, JUELS A, et al. Stealing machine learning models via prediction APIs. Proceedings of the 25th USENIX Security Symposium (SEC'16), 2016, Aug 10-12, Austin, TX, USA. Berkeley, CA, USA: USENIX Association, 2016: 601-618.

18. YU H G, YANG K C, ZHANG T, et al. CloudLeak: Large-scale deep learning models stealing through adversarial examples. Proceedings of the 27th Annual Network and Distributed Systems Security Symposium (NDSS’20), 2020, Feb 23-26, San Diego, CA. Reston, VA, USA: The Internet Society, 2020: DOI:10.14722/ndss.2020.24178

19. SANYAL S, ADDEPALLI S, BABU R V. Towards data-free model stealing in a hard label setting. Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’22), 2022, Jun 18-24, New Orleans, LA, USA. Piscataway, NJ, USA: IEEE, 2022: 15284-15293.

20. FREDRIKSON M, JHA S, RISTENPART T. Model inversion attacks that exploit confidence information and basic countermeasures. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15), 2015, Oct 12-16, Denver, CO, USA. New York, NY, USA: ACM, 2015: 1322-1333.

21. ZHANG Y H, JIA R X, PEI H Z, et al. The secret revealer: Generative model-inversion attacks against deep neural networks. Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’20), 2020, Jun 13-19, Seattle, WA, USA. Piscataway, NJ, USA: IEEE, 2020: 253-261.

22. KAHLA M, CHEN S, JUST H A, et al. Label-only model inversion attacks via boundary repulsion. Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’22), 2022, Jun 18-24, New Orleans, LA, USA. Piscataway, NJ, USA: IEEE, ,2022: 15025-15033.

23. LONG Y H, BINDSCHAEDLER V, WANG L, et al. Understanding membership inferences on well-generalized learning models. arXiv Preprint, arXiv:1802.04889, 2018.

24. HAYES J, MELIS L, DANEZIS G, et al. Logan: Evaluating information leakage of generative models using generative adversarial networks. arXiv Preprint, arXiv:1705.07663, 2017.

25. NASR M, SHOKRI R, HOUMANSADR A. Machine learning with membership privacy using adversarial regularization. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18), 2018, Oct 15-19, Toronto, Canada. New York, NY, USA: ACM, 2018: 634-646.

26. LINDBO L A B, SØNDERBY S K, LAROCHELLE H, et al. Autoencoding beyond pixels using a learned similarity metric. Proceedings of the 33rd International Conference on Machine Learning (ICML’16), 2016, Jun 19-24, New York, NY, USA. The Journal of Machine Learning Research (JMLR) 48. 2016: 1558-1566

27. GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial networks. Communications of the ACM, 2020, 63(11): 139-144.

28. HU H S, SALCIC Z, SUN L C, et al. Membership inference attacks on machine learning: A survey. ACM Computing Surveys, 2022, 54(11s): Article 235.

29. WANG Z H, HUANG N, SUN F, et al. Debiasing learning for membership inference attacks against recommender systems. Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD’22), 2022, Aug 14-18, Washington, DC, USA. New York, NY, USA: ACM, 2022: 1959-1968.

30. SHAFRAN A, PELEG S, HOSHEN Y. Membership inference attacks are easier on difficult problems. Proceedings of the 2021 IEEE/CVF International Conference on Computer Vision (ICCV'21), 2021, Oct 10-17, Montreal, Canada. Piscataway, NJ, USA: IEEE, 2021: 14820-14829.

31. HE Y, RAHIMIAN S, SCHIELE B, et al. Segmentations-leak: Membership inference attacks and defenses in semantic image segmentation. Computer Vision: Proceedings of the 16th European Conference on Computer Vision (ECCV’20): Part XXIII, 2020, Aug 23-28, Glasgow, UK. LNCS 12370. Berlin, Germany: Springer, 2020: 519-535.

32. HU P Y, WANG Z H, SUN R X, et al. M⁴I: Multi-modal models membership inference. Advances in Neural Information Processing Systems 35: Proceedings of the 36th International Conference on on Neural Information Processing Systems (NIPS’22), 2022, Nov 28-Dec 9, New Orleans, LA, USA. Red Hook, NY, USA: Curran Associates Inc, 2022: 1867-1882

33. MIAO Y T, CHEN C, PAN L, et al. No-label user-level membership inference for ASR model auditing. Computer Security: Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS’22): Part II, 2022, Sept 26-30, Copenhagen, Denmark. LNCS 13555. Berlin, Germany: Springer, 2022: 610-628.

34. RAHIMIAN S, OREKONDY T, FRITZ M. Differential privacy defenses and sampling attacks for membership inference. Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security (AISec’21), 2021, Nov 15, Republic of Korea. New York, NY, USA: ACM, 2021: 193-202.

35. LI Z, ZHANG Y. Membership leakage in label-only exposures. Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21), 2021, Nov 15-19, Republic of Korea. New York, NY, USA: ACM, 2021: 880-895

36. KINGMA D P, WELLING M. Auto-encoding variational Bayes. Proceedings of the 2nd International Conference on Learning Representations (ICLR’14), 2014, Apr 14-16, Banff, Canada. 2014: 14p.

37. CHOQUETTE-CHOO C A, TRAMER F, CARLINI N, et al. Label-only membership inference attacks. Proceedings of the 38th International Conference on Machine Learning (ICML’21), 2021, Jul 18-24, Virtual Event. PMLR 139. New York, NY, USA: ACM. 2021: 1964-1974.

38. RAHIMIAN S, OREKONDY T, FRITZ M. Sampling attacks: Amplification of membership inference attacks by repeated queries. arXiv Preprint, arXiv:2009.00395, 2020.

[1]	Zhang Guangwei, Zhao Bing, Li Ruifan. Multi-level fusion with deep neural networks for multimodal sentiment classification [J]. 中国邮电高校学报(英文), 2022, 29(3): 25-33.
[2]	Yang Chao, Li Yimin, Li Tong, Xu Siya, Qi Jun, Zhang Yu. Intelligent Service Function Chain Mapping Framework for Cloud-and-Edge-Collaborative IoT[J]. 中国邮电高校学报(英文), 2022, 29(3): 54-68.
[3]	Yang Jingjing, Guo Yuchun, Feng Tingting, Chen Yishuai. User Friendly Preferential Private Recommendation[J]. 中国邮电高校学报(英文), 2022, 29(3): 43-53.
[4]	Li Qinghua, Wang Jiahui, Li Haiming, Feng Chao. HQD-RRT*: a high-quality path planner for mobile robot in dynamic environment[J]. 中国邮电高校学报(英文), 2022, 29(3): 69-80.
[5]	Shao Zihao, Qu Tianguang, Wang Huiqiang, Zou Yifan, Lv Hongwu. User selection based on user-union and relative entropy in mobile crowdsensing[J]. 中国邮电高校学报(英文), 2022, 29(3): 34-42.
[6]	Zhang Miao, Wang Zixian, Yan Danfeng. Illumination robust image transformations for feature-based SLAM using photometric and feature matches loss[J]. 中国邮电高校学报(英文), 2022, 29(3): 92-104.
[7]	Miao Jiansong, Li Hairui, Zheng Ziyuan, Wang Chu, Zhao Zhenmin. Secrecy Energy Efficiency Maximization for UAV-Enabled Multi-Hop Mobile Relay System[J]. 中国邮电高校学报(英文), 2022, 29(3): 81-91.
[8]	Tang Fei, Dong Kun, Ye Zhangtao, Ling Guowei. Authentication scheme for industrial Internet of things based on DAG blockchain[J]. 中国邮电高校学报(英文版), 2021, 28(6): 1-12.

Black-box membership inference attacks based on shadow model

Black-box membership inference attacks based on shadow model

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 8

编辑推荐

Metrics

本文评价