References & Citations
Computer Science > Cryptography and Security
Title: Knowledge Cross-Distillation for Membership Privacy
(Submitted on 2 Nov 2021 (v1), revised 20 Dec 2021 (this version, v2), latest version 4 Feb 2022 (v3))
Abstract: A membership inference attack (MIA) poses privacy risks on the training data of a machine learning model. With an MIA, an attacker guesses if the target data are a member of the training dataset. The state-of-the-art defense against MIAs, distillation for membership privacy (DMP), requires not only private data to protect but a large amount of unlabeled public data. However, in certain privacy-sensitive domains, such as medical and financial, the availability of public data is not obvious. Moreover, a trivial method to generate the public data by using generative adversarial networks significantly decreases the model accuracy, as reported by the authors of DMP. To overcome this problem, we propose a novel defense against MIAs using knowledge distillation without requiring public data. Our experiments show that the privacy protection and accuracy of our defense are comparable with those of DMP for the benchmark tabular datasets used in MIA researches, Purchase100 and Texas100, and our defense has much better privacy-utility trade-off than those of the existing defenses without using public data for image dataset CIFAR10.
Submission history
From: Junki Mori [view email][v1] Tue, 2 Nov 2021 04:16:08 GMT (674kb,D)
[v2] Mon, 20 Dec 2021 01:58:01 GMT (500kb,D)
[v3] Fri, 4 Feb 2022 05:23:50 GMT (495kb,D)
Link back to: arXiv, form interface, contact.