Current browse context:
cs.CR
Change to browse by:
References & Citations
Computer Science > Cryptography and Security
Title: Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets
(Submitted on 31 Mar 2022 (v1), last revised 6 Oct 2022 (this version, v2))
Abstract: We introduce a new class of attacks on machine learning models. We show that an adversary who can poison a training dataset can cause models trained on this dataset to leak significant private details of training points belonging to other parties. Our active inference attacks connect two independent lines of work targeting the integrity and privacy of machine learning training data.
Our attacks are effective across membership inference, attribute inference, and data extraction. For example, our targeted attacks can poison <0.1% of the training dataset to boost the performance of inference attacks by 1 to 2 orders of magnitude. Further, an adversary who controls a significant fraction of the training data (e.g., 50%) can launch untargeted attacks that enable 8x more precise inference on all other users' otherwise-private data points.
Our results cast doubts on the relevance of cryptographic privacy guarantees in multiparty computation protocols for machine learning, if parties can arbitrarily select their share of training data.
Submission history
From: Florian Tramèr [view email][v1] Thu, 31 Mar 2022 18:06:28 GMT (8637kb,D)
[v2] Thu, 6 Oct 2022 16:27:36 GMT (30756kb,D)
Link back to: arXiv, form interface, contact.