5 research outputs found
On Inferring Training Data Attributes in Machine Learning Models
A number of recent works have demonstrated that API access to machine
learning models leaks information about the dataset records used to train the
models. Further, the work of \cite{somesh-overfit} shows that such membership
inference attacks (MIAs) may be sufficient to construct a stronger breed of
attribute inference attacks (AIAs), which given a partial view of a record can
guess the missing attributes. In this work, we show (to the contrary) that MIA
may not be sufficient to build a successful AIA. This is because the latter
requires the ability to distinguish between similar records (differing only in
a few attributes), and, as we demonstrate, the current breed of MIA are
unsuccessful in distinguishing member records from similar non-member records.
We thus propose a relaxed notion of AIA, whose goal is to only approximately
guess the missing attributes and argue that such an attack is more likely to be
successful, if MIA is to be used as a subroutine for inferring training record
attributes.Comment: Accepted by PPML'19, a CCS workshop. Submission of 4-pages bar
references, and appendix V2: Update in dataset splitting, and comments on
related work
Modelling and Quantifying Membership Information Leakage in Machine Learning
Machine learning models have been shown to be vulnerable to membership
inference attacks, i.e., inferring whether individuals' data have been used for
training models. The lack of understanding about factors contributing success
of these attacks motivates the need for modelling membership information
leakage using information theory and for investigating properties of machine
learning models and training algorithms that can reduce membership information
leakage. We use conditional mutual information leakage to measure the amount of
information leakage from the trained machine learning model about the presence
of an individual in the training dataset. We devise an upper bound for this
measure of information leakage using Kullback--Leibler divergence that is more
amenable to numerical computation. We prove a direct relationship between the
Kullback--Leibler membership information leakage and the probability of success
for a hypothesis-testing adversary examining whether a particular data record
belongs to the training dataset of a machine learning model. We show that the
mutual information leakage is a decreasing function of the training dataset
size and the regularization weight. We also prove that, if the sensitivity of
the machine learning model (defined in terms of the derivatives of the fitness
with respect to model parameters) is high, more membership information is
potentially leaked. This illustrates that complex models, such as deep neural
networks, are more susceptible to membership inference attacks in comparison to
simpler models with fewer degrees of freedom. We show that the amount of the
membership information leakage is reduced by
when using Gaussian
-differentially-private additive noises
Membership Inference Attack on Graph Neural Networks
Graph Neural Networks (GNNs), which generalize traditional deep neural
networks on graph data, have achieved state-of-the-art performance on several
graph analytical tasks. We focus on how trained GNN models could leak
information about the \emph{member} nodes that they were trained on. We
introduce two realistic settings for performing a membership inference (MI)
attack on GNNs. While choosing the simplest possible attack model that utilizes
the posteriors of the trained model (black-box access), we thoroughly analyze
the properties of GNNs and the datasets which dictate the differences in their
robustness towards MI attack. While in traditional machine learning models,
overfitting is considered the main cause of such leakage, we show that in GNNs
the additional structural information is the major contributing factor. We
support our findings by extensive experiments on four representative GNN
models. To prevent MI attacks on GNN, we propose two effective defenses that
significantly decreases the attacker's inference by up to 60% without
degradation to the target model's performance. Our code is available at
https://github.com/iyempissy/rebMIGraph.Comment: Best student paper award, IEEE TPS 2
Data and Model Dependencies of Membership Inference Attack
Machine learning (ML) models have been shown to be vulnerable to Membership
Inference Attacks (MIA), which infer the membership of a given data point in
the target dataset by observing the prediction output of the ML model. While
the key factors for the success of MIA have not yet been fully understood,
existing defense mechanisms such as using L2 regularization
\cite{10shokri2017membership} and dropout layers \cite{salem2018ml} take only
the model's overfitting property into consideration. In this paper, we provide
an empirical analysis of the impact of both the data and ML model properties on
the vulnerability of ML techniques to MIA. Our results reveal the relationship
between MIA accuracy and properties of the dataset and training model in use.
In particular, we show that the size of shadow dataset, the class and feature
balance and the entropy of the target dataset, the configurations and fairness
of the training model are the most influential factors. Based on those
experimental findings, we conclude that along with model overfitting, multiple
properties jointly contribute to MIA success instead of any single property.
Building on our experimental findings, we propose using those data and model
properties as regularizers to protect ML models against MIA. Our results show
that the proposed defense mechanisms can reduce the MIA accuracy by up to 25\%
without sacrificing the ML model prediction utility
On the (In)Feasibility of Attribute Inference Attacks on Machine Learning Models
With an increase in low-cost machine learning APIs, advanced machine learning
models may be trained on private datasets and monetized by providing them as a
service. However, privacy researchers have demonstrated that these models may
leak information about records in the training dataset via membership inference
attacks. In this paper, we take a closer look at another inference attack
reported in literature, called attribute inference, whereby an attacker tries
to infer missing attributes of a partially known record used in the training
dataset by accessing the machine learning model as an API. We show that even if
a classification model succumbs to membership inference attacks, it is unlikely
to be susceptible to attribute inference attacks. We demonstrate that this is
because membership inference attacks fail to distinguish a member from a nearby
non-member. We call the ability of an attacker to distinguish the two (similar)
vectors as strong membership inference. We show that membership inference
attacks cannot infer membership in this strong setting, and hence inferring
attributes is infeasible. However, under a relaxed notion of attribute
inference, called approximate attribute inference, we show that it is possible
to infer attributes close to the true attributes. We verify our results on
three publicly available datasets, five membership, and three attribute
inference attacks reported in literature.Comment: 20 pages, accepted at IEEE EuroS&P 202