18 research outputs found
Stealing Links from Graph Neural Networks
Graph data, such as chemical networks and social networks, may be deemed
confidential/private because the data owner often spends lots of resources
collecting the data or the data contains sensitive information, e.g., social
relationships. Recently, neural networks were extended to graph data, which are
known as graph neural networks (GNNs). Due to their superior performance, GNNs
have many applications, such as healthcare analytics, recommender systems, and
fraud detection. In this work, we propose the first attacks to steal a graph
from the outputs of a GNN model that is trained on the graph. Specifically,
given a black-box access to a GNN model, our attacks can infer whether there
exists a link between any pair of nodes in the graph used to train the model.
We call our attacks link stealing attacks. We propose a threat model to
systematically characterize an adversary's background knowledge along three
dimensions which in total leads to a comprehensive taxonomy of 8 different link
stealing attacks. We propose multiple novel methods to realize these 8 attacks.
Extensive experiments on 8 real-world datasets show that our attacks are
effective at stealing links, e.g., AUC (area under the ROC curve) is above 0.95
in multiple cases. Our results indicate that the outputs of a GNN model reveal
rich information about the structure of the graph used to train the model.Comment: To appear in the 30th Usenix Security Symposium, August 2021,
Vancouver, B.C., Canad
Privacy-Utility Trade-offs in Neural Networks for Medical Population Graphs: Insights from Differential Privacy and Graph Structure
We initiate an empirical investigation into differentially private graph
neural networks on population graphs from the medical domain by examining
privacy-utility trade-offs at different privacy levels on both real-world and
synthetic datasets and performing auditing through membership inference
attacks. Our findings highlight the potential and the challenges of this
specific DP application area. Moreover, we find evidence that the underlying
graph structure constitutes a potential factor for larger performance gaps by
showing a correlation between the degree of graph homophily and the accuracy of
the trained model
Independent Distribution Regularization for Private Graph Embedding
Learning graph embeddings is a crucial task in graph mining tasks. An
effective graph embedding model can learn low-dimensional representations from
graph-structured data for data publishing benefiting various downstream
applications such as node classification, link prediction, etc. However, recent
studies have revealed that graph embeddings are susceptible to attribute
inference attacks, which allow attackers to infer private node attributes from
the learned graph embeddings. To address these concerns, privacy-preserving
graph embedding methods have emerged, aiming to simultaneously consider primary
learning and privacy protection through adversarial learning. However, most
existing methods assume that representation models have access to all sensitive
attributes in advance during the training stage, which is not always the case
due to diverse privacy preferences. Furthermore, the commonly used adversarial
learning technique in privacy-preserving representation learning suffers from
unstable training issues. In this paper, we propose a novel approach called
Private Variational Graph AutoEncoders (PVGAE) with the aid of independent
distribution penalty as a regularization term. Specifically, we split the
original variational graph autoencoder (VGAE) to learn sensitive and
non-sensitive latent representations using two sets of encoders. Additionally,
we introduce a novel regularization to enforce the independence of the
encoders. We prove the theoretical effectiveness of regularization from the
perspective of mutual information. Experimental results on three real-world
datasets demonstrate that PVGAE outperforms other baselines in private
embedding learning regarding utility performance and privacy protection.Comment: Accepted by CIKM 202
Quantifying Privacy Leakage in Graph Embedding
Graph embeddings have been proposed to map graph data to low dimensional
space for downstream processing (e.g., node classification or link prediction).
With the increasing collection of personal data, graph embeddings can be
trained on private and sensitive data. For the first time, we quantify the
privacy leakage in graph embeddings through three inference attacks targeting
Graph Neural Networks. We propose a membership inference attack to infer
whether a graph node corresponding to individual user's data was member of the
model's training or not. We consider a blackbox setting where the adversary
exploits the output prediction scores, and a whitebox setting where the
adversary has also access to the released node embeddings. This attack provides
an accuracy up to 28% (blackbox) 36% (whitebox) beyond random guess by
exploiting the distinguishable footprint between train and test data records
left by the graph embedding. We propose a Graph Reconstruction attack where the
adversary aims to reconstruct the target graph given the corresponding graph
embeddings. Here, the adversary can reconstruct the graph with more than 80% of
accuracy and link inference between two nodes around 30% more confidence than a
random guess. We then propose an attribute inference attack where the adversary
aims to infer a sensitive attribute. We show that graph embeddings are strongly
correlated to node attributes letting the adversary inferring sensitive
information (e.g., gender or location).Comment: 11 page
10 Security and Privacy Problems in Self-Supervised Learning
Self-supervised learning has achieved revolutionary progress in the past
several years and is commonly believed to be a promising approach for
general-purpose AI. In particular, self-supervised learning aims to pre-train
an encoder using a large amount of unlabeled data. The pre-trained encoder is
like an "operating system" of the AI ecosystem. Specifically, the encoder can
be used as a feature extractor for many downstream tasks with little or no
labeled training data. Existing studies on self-supervised learning mainly
focused on pre-training a better encoder to improve its performance on
downstream tasks in non-adversarial settings, leaving its security and privacy
in adversarial settings largely unexplored. A security or privacy issue of a
pre-trained encoder leads to a single point of failure for the AI ecosystem. In
this book chapter, we discuss 10 basic security and privacy problems for the
pre-trained encoders in self-supervised learning, including six confidentiality
problems, three integrity problems, and one availability problem. For each
problem, we discuss potential opportunities and challenges. We hope our book
chapter will inspire future research on the security and privacy of
self-supervised learning.Comment: A book chapte
False Claims against Model Ownership Resolution
Deep neural network (DNN) models are valuable intellectual property of model
owners, constituting a competitive advantage. Therefore, it is crucial to
develop techniques to protect against model theft. Model ownership resolution
(MOR) is a class of techniques that can deter model theft. A MOR scheme enables
an accuser to assert an ownership claim for a suspect model by presenting
evidence, such as a watermark or fingerprint, to show that the suspect model
was stolen or derived from a source model owned by the accuser. Most of the
existing MOR schemes prioritize robustness against malicious suspects, ensuring
that the accuser will win if the suspect model is indeed a stolen model.
In this paper, we show that common MOR schemes in the literature are
vulnerable to a different, equally important but insufficiently explored,
robustness concern: a malicious accuser. We show how malicious accusers can
successfully make false claims against independent suspect models that were not
stolen. Our core idea is that a malicious accuser can deviate (without
detection) from the specified MOR process by finding (transferable) adversarial
examples that successfully serve as evidence against independent suspect
models. To this end, we first generalize the procedures of common MOR schemes
and show that, under this generalization, defending against false claims is as
challenging as preventing (transferable) adversarial examples. Via systematic
empirical evaluation we demonstrate that our false claim attacks always succeed
in all prominent MOR schemes with realistic configurations, including against a
real-world model: Amazon's Rekognition API.Comment: 13pages,3 figure
Membership Leakage in Label-Only Exposures
Machine learning (ML) has been widely adopted in various privacy-critical
applications, e.g., face recognition and medical image analysis. However,
recent research has shown that ML models are vulnerable to attacks against
their training data. Membership inference is one major attack in this domain:
Given a data sample and model, an adversary aims to determine whether the
sample is part of the model's training set. Existing membership inference
attacks leverage the confidence scores returned by the model as their inputs
(score-based attacks). However, these attacks can be easily mitigated if the
model only exposes the predicted label, i.e., the final model decision.
In this paper, we propose decision-based membership inference attacks and
demonstrate that label-only exposures are also vulnerable to membership
leakage. In particular, we develop two types of decision-based attacks, namely
transfer-attack and boundary-attack. Empirical evaluation shows that our
decision-based attacks can achieve remarkable performance, and even outperform
the previous score-based attacks. We further present new insights on the
success of membership inference based on quantitative and qualitative analysis,
i.e., member samples of a model are more distant to the model's decision
boundary than non-member samples. Finally, we evaluate multiple defense
mechanisms against our decision-based attacks and show that our two types of
attacks can bypass most of these defenses
StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning
Pre-trained encoders are general-purpose feature extractors that can be used
for many downstream tasks. Recent progress in self-supervised learning can
pre-train highly effective encoders using a large volume of unlabeled data,
leading to the emerging encoder as a service (EaaS). A pre-trained encoder may
be deemed confidential because its training requires lots of data and
computation resources as well as its public release may facilitate misuse of
AI, e.g., for deepfakes generation. In this paper, we propose the first attack
called StolenEncoder to steal pre-trained image encoders. We evaluate
StolenEncoder on multiple target encoders pre-trained by ourselves and three
real-world target encoders including the ImageNet encoder pre-trained by
Google, CLIP encoder pre-trained by OpenAI, and Clarifai's General Embedding
encoder deployed as a paid EaaS. Our results show that our stolen encoders have
similar functionality with the target encoders. In particular, the downstream
classifiers built upon a target encoder and a stolen one have similar accuracy.
Moreover, stealing a target encoder using StolenEncoder requires much less data
and computation resources than pre-training it from scratch. We also explore
three defenses that perturb feature vectors produced by a target encoder. Our
results show these defenses are not enough to mitigate StolenEncoder.Comment: To appear in ACM Conference on Computer and Communications Security
(CCS), 202