11 research outputs found
SafeNet: The Unreasonable Effectiveness of Ensembles in Private Collaborative Learning
Secure multiparty computation (MPC) has been proposed to allow multiple
mutually distrustful data owners to jointly train machine learning (ML) models
on their combined data. However, by design, MPC protocols faithfully compute
the training functionality, which the adversarial ML community has shown to
leak private information and can be tampered with in poisoning attacks. In this
work, we argue that model ensembles, implemented in our framework called
SafeNet, are a highly MPC-amenable way to avoid many adversarial ML attacks.
The natural partitioning of data amongst owners in MPC training allows this
approach to be highly scalable at training time, provide provable protection
from poisoning attacks, and provably defense against a number of privacy
attacks. We demonstrate SafeNet's efficiency, accuracy, and resilience to
poisoning on several machine learning datasets and models trained in end-to-end
and transfer learning scenarios. For instance, SafeNet reduces backdoor attack
success significantly, while achieving faster training and less communication than the four-party MPC framework of Dalskov et al.
Our experiments show that ensembling retains these benefits even in many
non-iid settings. The simplicity, cheap setup, and robustness properties of
ensembling make it a strong first choice for training ML models privately in
MPC
Chameleon: Increasing Label-Only Membership Leakage with Adaptive Poisoning
The integration of machine learning (ML) in numerous critical applications
introduces a range of privacy concerns for individuals who provide their
datasets for model training. One such privacy risk is Membership Inference
(MI), in which an attacker seeks to determine whether a particular data sample
was included in the training dataset of a model. Current state-of-the-art MI
attacks capitalize on access to the model's predicted confidence scores to
successfully perform membership inference, and employ data poisoning to further
enhance their effectiveness. In this work, we focus on the less explored and
more realistic label-only setting, where the model provides only the predicted
label on a queried sample. We show that existing label-only MI attacks are
ineffective at inferring membership in the low False Positive Rate (FPR)
regime. To address this challenge, we propose a new attack Chameleon that
leverages a novel adaptive data poisoning strategy and an efficient query
selection method to achieve significantly more accurate membership inference
than existing label-only attacks, especially at low FPRs
Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning
Machine learning has started to be deployed in fields such as healthcare and
finance, which propelled the need for and growth of privacy-preserving machine
learning (PPML). We propose an actively secure four-party protocol (4PC), and a
framework for PPML, showcasing its applications on four of the most
widely-known machine learning algorithms -- Linear Regression, Logistic
Regression, Neural Networks, and Convolutional Neural Networks. Our 4PC
protocol tolerating at most one malicious corruption is practically efficient
as compared to the existing works. We use the protocol to build an efficient
mixed-world framework (Trident) to switch between the Arithmetic, Boolean, and
Garbled worlds. Our framework operates in the offline-online paradigm over
rings and is instantiated in an outsourced setting for machine learning. Also,
we propose conversions especially relevant to privacy-preserving machine
learning. The highlights of our framework include using a minimal number of
expensive circuits overall as compared to ABY3. This can be seen in our
technique for truncation, which does not affect the online cost of
multiplication and removes the need for any circuits in the offline phase. Our
B2A conversion has an improvement of in rounds and
in the communication complexity. The practicality of our
framework is argued through improvements in the benchmarking of the
aforementioned algorithms when compared with ABY3. All the protocols are
implemented over a 64-bit ring in both LAN and WAN settings. Our improvements
go up to for the training phase and
for the prediction phase when observed over LAN and WAN.Comment: This work appeared at the 26th Annual Network and Distributed System
Security Symposium (NDSS) 2020. Update: An improved version of this framework
is available at arXiv:2106.0285
SNAP: Efficient Extraction of Private Properties with Poisoning
Property inference attacks allow an adversary to extract global properties of
the training dataset from a machine learning model. Such attacks have privacy
implications for data owners sharing their datasets to train machine learning
models. Several existing approaches for property inference attacks against deep
neural networks have been proposed, but they all rely on the attacker training
a large number of shadow models, which induces a large computational overhead.
In this paper, we consider the setting of property inference attacks in which
the attacker can poison a subset of the training dataset and query the trained
target model. Motivated by our theoretical analysis of model confidences under
poisoning, we design an efficient property inference attack, SNAP, which
obtains higher attack success and requires lower amounts of poisoning than the
state-of-the-art poisoning-based property inference attack by Mahloujifar et
al. For example, on the Census dataset, SNAP achieves 34% higher success rate
than Mahloujifar et al. while being 56.5x faster. We also extend our attack to
infer whether a certain property was present at all during training and
estimate the exact proportion of a property of interest efficiently. We
evaluate our attack on several properties of varying proportions from four
datasets and demonstrate SNAP's generality and effectiveness. An open-source
implementation of SNAP can be found at https://github.com/johnmath/snap-sp23.Comment: 28 pages, 16 figure
ASTRA: High Throughput 3PC over Rings with Application to Secure Prediction
The concrete efficiency of secure computation has been the focus of many
recent works. In this work, we present concretely-efficient protocols for
secure -party computation (3PC) over a ring of integers modulo
tolerating one corruption, both with semi-honest and malicious security. Owing
to the fact that computation over ring emulates computation over the real-world
system architectures, secure computation over ring has gained momentum of late.
Cast in the offline-online paradigm, our constructions present the most
efficient online phase in concrete terms. In the semi-honest setting, our
protocol requires communication of ring elements per multiplication gate
during the {\it online} phase, attaining a per-party cost of {\em less than one
element}. This is achieved for the first time in the regime of 3PC. In the {\it
malicious} setting, our protocol requires communication of elements per
multiplication gate during the online phase, beating the state-of-the-art
protocol by elements. Realized with both the security notions of selective
abort and fairness, the malicious protocol with fairness involves slightly more
communication than its counterpart with abort security for the output gates
{\em alone}.
We apply our techniques from PC in the regime of secure server-aided
machine-learning (ML) inference for a range of prediction functions-- linear
regression, linear SVM regression, logistic regression, and linear SVM
classification. Our setting considers a model-owner with trained model
parameters and a client with a query, with the latter willing to learn the
prediction of her query based on the model parameters of the former. The inputs
and computation are outsourced to a set of three non-colluding servers. Our
constructions catering to both semi-honest and the malicious world, invariably
perform better than the existing constructions.Comment: This article is the full and extended version of an article appeared
in ACM CCSW 201
FLASH: Fast and Robust Framework for Privacy-preserving Machine Learning
Privacy-preserving machine learning (PPML) via Secure Multi-party Computation (MPC) has gained momentum in the recent past. Assuming a minimal network of pair-wise private channels, we propose an efficient four-party PPML framework over rings , FLASH, the first of its kind in the regime of PPML framework, that achieves the strongest security notion of Guaranteed Output Delivery (all parties obtain the output irrespective of adversary\u27s behaviour). The state of the art ML frameworks such as ABY3 by {\em Mohassel et.al} (ACM CCS\u2718) and SecureNN by {\em Wagh et.al} (PETS\u2719) operate in the setting of parties with one malicious corruption but achieve the {\em weaker} security guarantee of {\em abort}. We demonstrate PPML with real-time efficiency, using the following custom-made tools that overcome the limitations of the aforementioned state-of-the-art-- (a) {\em dot product}, which is independent of the vector size unlike the state-of-the-art ABY3, SecureNN and ASTRA by {\em Chaudhari et.al} (ACM CCSW\u2719), all of which have linear dependence on the vector size. (b) {\em Truncation}, which is constant round and free of circuits like Ripple Carry Adder (RCA), unlike ABY3 which uses these circuits and has round complexity of the order of depth of these circuits. We then exhibit the application of our FLASH framework in the secure server-aided prediction of vital algorithms-- Linear Regression, Logistic Regression, Deep Neural Networks, and Binarized Neural Networks. We substantiate our theoretical claims through improvement in benchmarks of the aforementioned algorithms when compared with the current best framework ABY3. All the protocols are implemented over a 64-bit ring in LAN and WAN. Our experiments demonstrate that, for MNIST dataset, the improvement (in terms of throughput) ranges from to over LAN and WAN together
Solid pseudo papillary neoplasm of the pancreas: A diagnostic dilemma
Solid cystic tumor of the pancreas (SCPT), also known as Frantz tumor is a rare pancreatic tumor with an incidence less than 2% of all non-endocrine pancreatic tumors. Young women are more often affected than men. We report the case of a 28-year-old female who presented with vague abdominal pain of two-month duration. Ultrasonography (USG) and computed tomography (CT) scan revealed a large cystic mass which was seen to be arising from the tail of the pancreas and attached to the mesentery. Distal pancreatectomy was done, which on histopathological examination was diagnosed as SCPT. Due to its rareness and behavior, this tumor is often associated with diagnostic and management problems
Early loss of radiographic reduction after acute acromioclavicular joint reconstruction: Comparison of open Double Endobutton fixation vs. Nottingham Surgilig
Introduction: Surgical treatment is usually recommended for the acute unstable acromioclavicular joint (ACJ) dislocations. Among the wide variety of different surgical techniques, the Double Endobutton and the Nottingham Surgilig technique are two of the most widely acceptable and well described techniques. The aim of this study was to offer a direct comparison of the above techniques in question, analysing the patients outcomes and assessing the risk of early loss of radiographic reduction. Materials and methods: A total of 48 patients who met the inclusion criteria were included in the study. Patients were categorised in two groups (Endobutton and Nottingham Surgilig group) and post operative assessment of the patients was performed using the Oxford Shoulder (OSS) and Constant Murley (CMS) scores. Patient demographics, hand dominance, ACJ classification and co-morbidities were included in the analysis and radiographic evaluation was conducted for both groups. Results: Both techniques provide a good outcome in the management of unstable ACJ dislocations but the risk of early radiographic failure remains higher in the double Endobutton technique (26% vs. 17.39% for the Nottingham Surgilig group). Factors such as patients’ demographics, hand dominance, co-morbidities and grade of ACJ separation do not seem to contribute to radiographic loss of reduction, whereas the incorrect positioning of the coracoid endobutton is a significant factor predisposing to early radiographic failure, P < 0.001. Discussion: The incidence of early loss of radiographic reduction still remains high in both groups. In order to reduce this common complication, accurate placement of the coracoid endobutton under fluoroscopic intra-operative control is strongly recommended