MemGuard: Defending against Blac

[CCS'19] MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples

Keywords: Membership Inference Attack, Adversarial Example
Takeaways: This paper proposed a fancy idea of defending MIA attacks by leveraging AE attack to ATTACK attackers. The defense outperforms counterparts by strictly bounding the utility-loss of confidence score vector, thus achieving optimal trade-off between utility and privacy.

---

Background

1. Membership Inference Attacks

Membership Inference Attacks

In a nutshell, an attacker trains a binary classifier, which takes a data sample’s confidence score vector predicted by the target classifier as an input and predicts
whether the data sample is a member or non-member of the target classifier’s training dataset

MIA leads to:

1. severe privacy violations (For some sensitive areas using big data such as health-care )
2. damages the model provider’s intellectual property (By stealing well-processed training data)

A major reason why membership inference attacks succeed is that the target classifier is overfitted:
As a result, the confidence score vectors predicted by the target classifier are distinguishable for members and non-members of the training dataset.

2. Existing defense against MIA:

• Regularization based defenses
  • L2-Regularizer
  • Min-Max Game
  • Dropout
• Ensemble method
  • Model Stacking
• Differential privacy
  • DP-SGD

Refer to the paper for details

---

Design

1. Overview

Overview

• Goad 1: The attack classifier is inaccurate at inferring the member/non-members of the target classifier's training dataset
• Goad 2: The utility-loss of the confidence score vector is bounded

2. Formulation of MIA defense:

Formulation of the optimization problem

3. Key ideas of the solution

1. Divide the noisy space

   
   

2. Two-phase Framework to solve the optimization problem

   
   

4. Solution

（注:原优化问题求解的是众多非线性约束下的概率分布，转化为对固定2个变量求解无约束优化问题，先转化约束，再消除约束）

---

Experimental Results

Omitted. Refer to the paper for details

---

Personal Response

+ Strengths：

1. The fancy idea of using AE to defend MIA
2. Skillful transformation and elimination when solving the optimization problem

- Weaknesses:

1. It seems that the authors have missed an important part of noisy space grouping. Specifically, noisy space is claimed to be divided into two groups. However, it is not intuitive to understand how to ensure that both groups exist in any case, especially for group n1. And, how to group them?

---

【转载声明】 转载或引用本博客文章请注明出处 -- AISecPaperShare