机器学习成员推理攻击研究进展与挑战

doi:10.12677/ORF.2022.121001

期刊菜单

机器学习成员推理攻击研究进展与挑战
Research Progress and Challenges of Membership Inference Attacks in Machine Learning

DOI: 10.12677/ORF.2022.121001, PDF, 被引量
作者: 高婷：贵州大学数学与统计学院，贵州贵阳
关键词: 机器学习；成员推理攻击；防御技术；隐私泄露；Machine Learning； Membership Inference Attack； Defense Technology； Privacy Leakage

摘要: 成员推理攻击通过对机器学习模型进行攻击可推断目标数据是否为训练数据集的成员，该攻击的日益完备给机器学习带来了严重的隐私威胁。本文从机器学习模型的攻防基础理论出发，分析成员推理攻击关键技术模型，厘清成员推理攻击模型与隐私泄露风险之间的关系，以期保证数据的隐私安全并促进机器学习应用领域的发展。首先，介绍了成员推理攻击的敌手模型、定义、分类以及攻击模型的生成机理。其次，分类总结和对比分析了成员推理攻击的攻击算法。然后，介绍了成员推理攻击在现实生活中的应用，并对成员推理攻击的防御技术进行了分类概括和对比分析。最后，通过对比分析已有的成员推理攻击方案及其防御技术方法，对机器学习成员推理攻击的发展趋势以及数据隐私保护的未来研究挑战进行展望。该工作为解决数据的隐私泄露问题提供一定的理论基础，对推动机器学习应用领域的发展有一定意义。

Abstract: Membership inference attacks can infer whether the target data is a member of a training dataset by attacking machine learning model, and the increasingly complete attack model poses a serious privacy threat to machine learning. Starting from the basic theory of attack and defense of machine learning models, this paper analyzed the key technical models and clarified the relationship between attack models and privacy leakage risks for ensuring the security of data privacy and promoting the development of machine learning applications field. Firstly, this paper introduced the adversary model of membership inference attacks, definition, classification and generation mechanism of the model. Secondly, we summarized and analyzed various existing membership inference attack algorithms. Then, the application of membership inference attack in real life was introduced, and the defense techniques of membership inference attack was classified and compared. Finally, by comparing and analyzing the existing attack schemes and their defense technology methods, the development trend of membership inference attack in machine learning and the future research challenges of data privacy protection are prospected. This work provides a theoretical basis for solving the problem of data privacy leakage, which is of great significance for promoting the development of machine learning applications.

文章引用：高婷. 机器学习成员推理攻击研究进展与挑战[J]. 运筹与模糊学, 2022, 12(1): 1-15. https://doi.org/10.12677/ORF.2022.121001

参考文献

[1]	Jordan, M.I. and Mitchell, T.M. (2015) Machine Learning: Trends, Perspectives, and Prospects. Science, 349, 255-260. [Google Scholar] [CrossRef] [PubMed]
[2]	廖国辉, 刘嘉勇. 基于数据挖掘和机器学习的恶意代码检测方法[J]. 信息安全研究, 2016, 2(1): 74-79.
[3]	韩莹, 李姗姗, 陈福明. 基于机器学习的地震异常数据挖掘模型[J]. 计算机仿真, 2014, 31(11): 319-322.
[4]	Chen, X., Xiang, S., Liu, C.L., et al. (2014) Vehicle Detection in Satellite Images by Hybrid Deep Convolutional Neural Networks. IEEE Geoscience and Remote Sensing Letters, 11, 1797-1801. [Google Scholar] [CrossRef]
[5]	Chen, S., Wang, H., Xu, F., et al. (2016) Target Classification Using the Deep Convolutional Networks for SAR Images. IEEE Transactions on Geoscience and Remote Sensing, 54, 4806-4817. [Google Scholar] [CrossRef]
[6]	Launchbury, J., Archer, D., DuBuisson, T., et al. (2014) Application-Scale Secure Multiparty Computation. In: Shao, Z., Ed., European Symposium on Programming Languages and Systems, Springer, Berlin, Heidelberg, 8-26. [Google Scholar] [CrossRef]
[7]	凌晨添. 进化神经网络在信用卡欺诈检测中的应用[J]. 微电子学与计算机, 2011, 28(10): 14-17.
[8]	Fu, K., Cheng, D., Tu, Y., et al. (2016) Credit Card Fraud Detection Using Convolutional Neural Networks. In: Hirose, A., Ozawa, S., Doya, K., Ikeda, K., Lee, M. and Liu, D., Eds., International Conference on Neural Information Processing, Springer, Cham, 483-490. [Google Scholar] [CrossRef]
[9]	Roy, A., Sun, J., Mahoney, R., et al. (2018) Deep Learning Detecting Fraud in Credit Card Transactions. 2018 Systems and Information Engineering Design Symposium (SIEDS), Charlottesville, VA, 27 April 2018, 129-134. [Google Scholar] [CrossRef]
[10]	Acharya, U.R., Oh, S.L., Hagiwara, Y., et al. (2018) Deep Convolutional Neural Network for the Automated Detection and Diagnosis of Seizure Using EEG Signals. Computers in Biology and Medicine, 100, 270-278. [Google Scholar] [CrossRef] [PubMed]
[11]	Arabasadi, Z., Alizadehsani, R., Roshanzamir, M., et al. (2017) Computer Aided Decision Making for Heart Disease Detection Using Hybrid Neural Network-Genetic Algorithm. Computer Methods and Programs in Biomedicine, 141, 19-26. [Google Scholar] [CrossRef] [PubMed]
[12]	Jagielski, M., Oprea, A., Biggio, B., et al. (2018) Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 20-24 May 2018, 19-35. [Google Scholar] [CrossRef]
[13]	Liu, Y., Ma, S., Aafer, Y., et al. (2018) Trojaning Attack on Neural Networks. Proceedings of the 25th Annual Network and Distributed System Security Symposium, San Diego, CA, 18-21 February 2018, 214-229. [Google Scholar] [CrossRef]
[14]	Szegedy, C., Zaremba, W., Sutskever, I., et al. (2013) Intriguing Properties of Neural Networks. arXiv:1312.6199
[15]	Papernot, N., McDaniel, P., Jha, S., et al. (2016) The Limitations of Deep Learning in Adversarial Settings. 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, 21-24 March 2016, 372-387. [Google Scholar] [CrossRef]
[16]	Tramèr, F., Zhang, F., Juels, A., et al. (2016) Stealing Machine Learning Models via Prediction APIs. Proceedings of the 25th USENIX Conference on Security Symposium, Austin, TX, 10-12 August 2016, 601-618.
[17]	Fredrikson, M., Jha, S. and Ristenpart, T. (2015) Model Inversion Attacks That Exploit Confidence Information and Basic Countermeasures. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, 12-16 October 2015, 1322-1333. [Google Scholar] [CrossRef]
[18]	Gentry, C. (2009) Fully Homomorphic Encryption Using Ideal Lattices. Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, Bethesda, MD, 31 May 2009-2 June 2009, 169-178. [Google Scholar] [CrossRef]
[19]	Jagannathan, G. and Wright, R.N. (2005) Privacy-Preserving Distributed k-Means Clustering over Arbitrarily Partitioned Data. Proceedings of the 11th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, Chicago, IL, 21-24 August 2005, 593-599. [Google Scholar] [CrossRef]
[20]	Jayaraman, B. and Evans, D. (2019) Evaluating Differentially Private Machine Learning in Practice. Proceedings of the 28th USENIX Conference on Security Symposium, Santa Clara, CA, 14-16 August 2019, 1895-1912.
[21]	Homer, N., Szelinger, S., Redman, M., et al. (2008) Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays. PLoS Genetics, 4, e1000167. [Google Scholar] [CrossRef] [PubMed]
[22]	Hagestedt, I., Zhang, Y., Humbert, M., et al. (2019) MBeacon: Privacy-Preserving Beacons for DNA Methylation Data. Proceedings of the 26th Annual Network and Distributed System Security Symposium, San Diego, CA, 24-27 February 2019, 72-87. [Google Scholar] [CrossRef]
[23]	Backes, M., Berrang, P., Humbert, M., et al. (2016) Membership Privacy in MicroRNA-Based Studies. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, 24-28 October 2016, 319-330. [Google Scholar] [CrossRef]
[24]	Pyrgelis, A., Troncoso, C. and De Cristofaro, E. (2018) Knock Knock, Who’s There? Membership Inference on Aggregate Location Data. Proceedings of the 25th Network and Distributed Systems Security Symposium, San Diego, CA, 18-21 February 2018, 199-213. [Google Scholar] [CrossRef]
[25]	Barreno, M., Nelson, B., Joseph, A.D., et al. (2010) The Security of Machine Learning. Machine Learning, 81, 121-148. [Google Scholar] [CrossRef]
[26]	Biggio, B., Fumera, G. and Roli, F. (2013) Security Evaluation of Pattern Classifiers under Attack. IEEE Transactions on Knowledge and Data Engineering, 26, 984-996. [Google Scholar] [CrossRef]
[27]	Hui, B., Yang, Y., Yuan, H., et al. (2021) Practical Blind Membership Inference Attack via Differential Comparisons. arXiv:2101.01341. [Google Scholar] [CrossRef]
[28]	Li, J., Li, N. and Ribeiro, B. (2020) Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap. arXiv:2002.12062
[29]	Song, L., Shokri, R. and Mittal, P. (2019) Privacy Risks of Securing Machine Learning Models against Adversarial Examples. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, 11-15 November 2019, 241-257. [Google Scholar] [CrossRef]
[30]	Yang, Z., Shao, B., Xuan, B., et al. (2020) Defending Model Inversion and Membership Inference Attacks via Prediction Purification. arXiv:2005.03915
[31]	Shokri, R., Stronati, M., Song, C., et al. (2017) Membership Inference Attacks against Machine Learning Models. 2017 IEEE Symposium on Security and Privacy, San Jose, CA, 22-26 May 2017, 3-18. [Google Scholar] [CrossRef]
[32]	Salem, A., Zhang, Y., Humbert, M., et al. (2019) ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. Annual Network and Distributed System Security Symposium, San Diego, CA, 24-27 February 2019, 243-260. [Google Scholar] [CrossRef]
[33]	Yeom, S., Giacomelli, I., Fredrikson, M., et al. (2018) Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting. 2018 IEEE 31st Computer Security Foundations Symposium, Oxford, 9-12 July 2018, 268-282. [Google Scholar] [CrossRef]
[34]	Melis, L., Song, C., De Cristofaro, E., et al. (2019) Exploiting Unintended Feature Leakage in Collaborative Learning. 2019 IEEE Symposium on Security and Privacy, San Francisco, CA, 19-23 May 2019, 691-706. [Google Scholar] [CrossRef]
[35]	Nasr, M., Shokri, R. and Houmansadr, A. (2019) Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-Box Inference Attacks against Centralized and Federated Learning. 2019 IEEE Symposium on Security and Privacy, San Francisco, CA, 19-23 May 2019, 739-753. [Google Scholar] [CrossRef]
[36]	Yin, Y., Chen, K., Shou, L. and Chen, G. (2021) Defending Privacy Against More Knowledgeable Membership Inference Attackers. Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, Singapore, 14-18 August 2021, 2026-2036. [Google Scholar] [CrossRef]
[37]	Long, Y., Bindschaedler, V., Wang, L., et al. (2018) Under-standing Membership Inferences on Well-Generalized Learning Models. arXiv:1802.04889
[38]	Choo, C.A.C., Tramer, F., Carlini, N., et al. (2020) Label-Only Membership Inference Attacks. arXiv:2007.14321
[39]	Li, Z. and Zhang, Y. (2021) Membership Leakage in Label-Only Exposures. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Korea, 15-19 November 2021, 880-895. [Google Scholar] [CrossRef]
[40]	Wang, C., Liu, G., Huang, H., et al. (2019) MIASec: Enabling Data Indistinguishability against Membership Inference Attacks in MLaaS. IEEE Transactions on Sustainable Computing, 5, 365-376. [Google Scholar] [CrossRef]
[41]	Tonni, S.M., Vatsalan, D., Farokhi, F., et al. (2020) Data and Model Dependencies of Membership Inference Attack. arXiv:2002.06856
[42]	Hayes, J., Melis, L., Danezis, G. and De Cristofaro, E. (2019) LOGAN: Membership Inference Attacks against Generative Models. Proceedings on Privacy Enhancing Technologies, 2019, 133-152. [Google Scholar] [CrossRef]
[43]	Liu, G., Wang, C., Peng, K., et al. (2019) SocInf: Membership Inference Attacks on Social Media Health Data with Machine Learning. IEEE Transactions on Computational Social Systems, 6, 907-921. [Google Scholar] [CrossRef]
[44]	Miao, Y., Zhao, B.Z.H., Xue, M., et al. (2019) The Audio Auditor: Participant-Level Membership Inference in Voice-Based IoT. CCS Workshop of Privacy Preserving Machine Learning.
[45]	Song, C. and Shmatikov, V. (2019) Auditing Data Provenance in Text-Generation Models. Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, Anchorage, 4-8 August 2019, 196-206. [Google Scholar] [CrossRef]
[46]	Fredrikson, M., Lantz, E., Jha, S., et al. (2014) Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. Proceedings of the 23rd USENIX conference on Security Symposium, San Diego, CA, 20-22 August 2014, 17-32.
[47]	Danhier, P., Massart, C. and Standaert, F.X. (2020) Fidelity Leakages: Applying Membership Inference Attacks to Preference Data. IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Toronto, 6-9 July 2020, 728-733. [Google Scholar] [CrossRef]
[48]	Nasr, M., Shokri, R. and Houmansadr, A. (2018) Machine Learning with Membership Privacy Using Adversarial Regularization. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, 15-19 October 2018, 634-646. [Google Scholar] [CrossRef]
[49]	Jia, J., Salem, A., Backes, M., et al. (2019) MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, 11-15 November 2019, 259-274. [Google Scholar] [CrossRef]
[50]	Zheng, J., Cao, Y. and Wang, H. (2021) Resisting Membership Inference Attacks through Knowledge Distillation. Neurocomputing, 452, 114-126. [Google Scholar] [CrossRef]
[51]	Chen, J., Wang, W.H. and Shi, X. (2020) Differential Privacy Protection Against Membership Inference Attack on Machine Learning for Genomic Data. BIOCOMPUTING 2021: Proceedings of the Pacific Symposium, Kohala Coast, 3-7 January 2021, 26-37. [Google Scholar] [CrossRef]
[52]	Li, J., Li, N. and Ribeiro, B. (2021) Membership Inference Attacks and Defenses in Classification Models. Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, USA, 26-28 April 2021, 5-16. [Google Scholar] [CrossRef]
[53]	Wang, Y., Wang, C., Wang, Z., et al. (2021) Against Membership Inference Attack: Pruning is All You Need. Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21), 3141-3147.
[54]	Chen, J., Wang, W.H., Gao, H., et al. (2021) PAR-GAN: Improving the Generalization of Generative Adversarial Networks against Membership Inference Attacks. Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, Singapore, 14-18 August 2021, 127-137. [Google Scholar] [CrossRef]

为你推荐

友情链接