We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.CR

Change to browse by:

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo

Computer Science > Cryptography and Security

Title: Lessons Learned: Defending Against Property Inference Attacks

Authors: Joshua Stock (1), Jens Wettlaufer, Daniel Demmler (1), Hannes Federrath (1) ((1) Universität Hamburg)
Abstract: This work investigates and evaluates multiple defense strategies against property inference attacks (PIAs), a privacy attack against machine learning models. Given a trained machine learning model, PIAs aim to extract statistical properties of its underlying training data, e.g., reveal the ratio of men and women in a medical training data set. While for other privacy attacks like membership inference, a lot of research on defense mechanisms has been published, this is the first work focusing on defending against PIAs. With the primary goal of developing a generic mitigation strategy against white-box PIAs, we propose the novel approach property unlearning. Extensive experiments with property unlearning show that while it is very effective when defending target models against specific adversaries, property unlearning is not able to generalize, i.e., protect against a whole class of PIAs. To investigate the reasons behind this limitation, we present the results of experiments with the explainable AI tool LIME. They show how state-of-the-art property inference adversaries with the same objective focus on different parts of the target model. We further elaborate on this with a follow-up experiment, in which we use the visualization technique t-SNE to exhibit how severely statistical training data properties are manifested in machine learning models. Based on this, we develop the conjecture that post-training techniques like property unlearning might not suffice to provide the desirable generic protection against PIAs. As an alternative, we investigate the effects of simpler training data preprocessing methods like adding Gaussian noise to images of a training data set on the success rate of PIAs. We conclude with a discussion of the different defense approaches, summarize the lessons learned and provide directions for future work.
Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI); Machine Learning (cs.LG)
Journal reference: Proceedings of the 20th International Conference on Security and Cryptography SECRYPT (2023) 312-323
DOI: 10.5220/0012049200003555
Cite as: arXiv:2205.08821 [cs.CR]
  (or arXiv:2205.08821v4 [cs.CR] for this version)

Submission history

From: Joshua Stock [view email]
[v1] Wed, 18 May 2022 09:38:37 GMT (883kb,D)
[v2] Fri, 24 Jun 2022 12:52:52 GMT (883kb,D)
[v3] Mon, 31 Oct 2022 15:26:12 GMT (4890kb,D)
[v4] Mon, 9 Oct 2023 09:46:41 GMT (4890kb,D)

Link back to: arXiv, form interface, contact.