{"id":5977,"date":"2024-07-11T02:31:11","date_gmt":"2024-07-11T09:31:11","guid":{"rendered":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/?page_id=5977"},"modified":"2024-07-11T09:59:58","modified_gmt":"2024-07-11T16:59:58","slug":"membership-inference-attacks-in-machine-learning-models","status":"publish","type":"page","link":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/projects\/membership-inference-attacks-in-machine-learning-models\/","title":{"rendered":"Membership Inference Attacks in Machine Learning Models"},"content":{"rendered":"<p style=\"font-weight: 400;\">Being an inherently data-driven solution, machine learning (ML) models can aggregate and process vast amounts of data, such as clinical files and financial records. With the growing application of ML-based solutions in privacy-sensitive domains such as healthcare, the potential privacy ramification of training DL models on sensitive data stands out as a notable concern.<\/p>\n<p style=\"font-weight: 400;\">To this end, <strong>membership inference attacks (MIAs)<\/strong> represent a prominent class of privacy attacks that aim to infer whether a given data point was used to train the model.<\/p>\n<p style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5982 aligncenter\" src=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-300x147.jpg\" alt=\"\" width=\"408\" height=\"200\" srcset=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-300x147.jpg 300w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-1024x502.jpg 1024w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-768x376.jpg 768w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-1536x753.jpg 1536w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-2048x1004.jpg 2048w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/mia-800x392.jpg 800w\" sizes=\"auto, (max-width: 408px) 100vw, 408px\" \/><\/p>\n<p style=\"font-weight: 400;\">MIAs constitute a fundamental threat to data privacy, e.g., if the model is trained on a sensitive population such as patients with a rare disease, then merely divulging that some individual is part of that population may become a severe privacy risk.<\/p>\n<p style=\"font-weight: 400;\">This project studies MIAs from both a <strong>defensive<\/strong> and <strong>adversarial<\/strong> perspective.<\/p>\n<h3>Practical Defense against Membership Inference Attacks<\/h3>\n<p style=\"font-weight: 400;\">We introduce HAMP, a defense technique that can achieve strong membership privacy and high accuracy. To mitigate MIAs in different forms, we observe that they can be uni\ufb01ed as they all<strong> exploit the ML model\u2019s overcon\ufb01dence in predicting training samples<\/strong> through different proxies. This motivates our design to <em>enforce less con\ufb01dent prediction by the model<\/em>, hence forcing the model to behave similarly on the training and testing samples.<\/p>\n<p style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5980 aligncenter\" src=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-300x133.jpg\" alt=\"\" width=\"390\" height=\"173\" srcset=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-300x133.jpg 300w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-1024x454.jpg 1024w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-768x340.jpg 768w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-1536x680.jpg 1536w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-2048x907.jpg 2048w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-idea-800x354.jpg 800w\" sizes=\"auto, (max-width: 390px) 100vw, 390px\" \/><\/p>\n<p style=\"font-weight: 400;\">We show that HAMP simultaneously achieves strong privacy protection against a range of existing MIAs (y-axis) and minimal accuracy degradation (x-axis).<\/p>\n<p style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5981 aligncenter\" src=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-300x232.jpg\" alt=\"\" width=\"231\" height=\"179\" srcset=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-300x232.jpg 300w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-1024x793.jpg 1024w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-768x595.jpg 768w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-1536x1190.jpg 1536w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-2048x1587.jpg 2048w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/hamp-res-800x620.jpg 800w\" sizes=\"auto, (max-width: 231px) 100vw, 231px\" \/><\/p>\n<p style=\"font-weight: 400;\">Zitao Chen and Karthik Pattabiraman, <a href=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/2023\/12\/02\/overconfidence-is-a-dangerous-thing-mitigating-membership-inference-attacks-by-enforcing-less-confident-prediction\/\">Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction. <\/a>Proceedings of the\u00a0Network and Distributed Systems Security Conference (NDSS), 2024.\u00a0(Acceptance Rate: 15%). <strong>Artifacts Available, Functional and Reproduced<\/strong><\/p>\n<h5><em><strong>What\u2019s next?<\/strong><\/em><\/h5>\n<p style=\"font-weight: 400;\">Nevertheless, many existing studies assume the ML\u00a0models are trained <em>without<\/em> being adversarially manipulated; whereas a capable adversary may compromise the models to achieve a desired outcome such as amplifying privacy leakage. This motivates the second contribution of this project.<\/p>\n<h3><strong>Supply chain Attack to Facilitate Stealthy and High-power Membership Inference Attacks<\/strong><\/h3>\n<p style=\"font-weight: 400;\">Modern machine learning (ML) ecosystems offer a surging number of ML frameworks and code repositories that can greatly facilitate the development of ML models. Today, even ordinary data holders who are not ML experts can apply an off-the-shelf codebase to build high-performance ML models on their data, which are often sensitive in nature (e.g., clinical records).<\/p>\n<p style=\"font-weight: 400;\">In this work, we consider a <strong>malicious ML provider<\/strong> who supplies model-training code to the data holders (e.g., by injecting compromised code into public repositories as shown in recent real-world incidents [<a href=\"https:\/\/www.theregister.com\/2023\/01\/04\/pypi_pytorch_dependency_attack\/\">example1<\/a>, <a href=\"https:\/\/thehackernews.com\/2024\/01\/tensorflow-cicd-flaw-exposed-supply.html\">example2<\/a>]), does <em>not<\/em> have access to the training process, and has only<em> black-box<\/em> query access to the resulting model.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-5978 aligncenter\" src=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-300x229.jpg\" alt=\"\" width=\"300\" height=\"229\" srcset=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-300x229.jpg 300w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-1024x782.jpg 1024w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-768x587.jpg 768w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-1536x1174.jpg 1536w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-2048x1565.jpg 2048w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-1-800x611.jpg 800w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p style=\"font-weight: 400;\">Under this setting, we demonstrate a new form of membership inference attack that is strictly more powerful than prior art.<\/p>\n<p style=\"font-weight: 400;\">The core idea of our attack is to exploit the model\u2019s <strong>memorization capacity<\/strong>, and strategically have the model memorize an additional set of secret (synthetic) samples, whose outputs can be leveraged to encode the membership of the training samples.<\/p>\n<p style=\"font-weight: 400;\">Our attack highlights <strong>four key features<\/strong>:<\/p>\n<p style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5979 aligncenter\" src=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-300x274.jpg\" alt=\"\" width=\"249\" height=\"227\" srcset=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-300x274.jpg 300w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-1024x934.jpg 1024w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-768x700.jpg 768w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-1536x1401.jpg 1536w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-2048x1868.jpg 2048w, https:\/\/blogs.ubc.ca\/dependablesystemslab\/files\/2024\/07\/code-poison-2-800x730.jpg 800w\" sizes=\"auto, (max-width: 249px) 100vw, 249px\" \/><\/p>\n<ul>\n<li><strong>Near-perfect MIA success<\/strong> (high true positive and low false positive).<\/li>\n<li><span style=\"color: #444444;\">MIA is easy to perform (<\/span><strong>no<\/strong><span style=\"color: #444444;\"> reliance on shadow models for calibration).<\/span><\/li>\n<li><strong>Minimal<\/strong><span style=\"color: #444444;\"> accuracy degradation.<\/span><\/li>\n<li><strong>Stealthy<\/strong><span style=\"color: #444444;\"> privacy leakage: The amplified privacy leakage can only be revealed under a <em>specialized<\/em> form of MI process known by the adversary; otherwise the poisoned models would exhibit <\/span><strong>comparable<\/strong><span style=\"color: #444444;\"> privacy leakage as the non-poisoned counterparts, under common MIA methods.<\/span><\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Zitao Chen and Karthik Pattabiraman, <a href=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/2024\/06\/22\/a-method-to-facilitate-membership-inference-attacks-in-deep-learning-models\/\">A Method to Facilitate Membership Inference Attacks in Deep Learning Models<\/a>. To Appear in the Proceedings of the\u00a0Network and Distributed Systems Security Conference (NDSS), 2025.\u00a0(Acceptance Rate: TBD).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Being an inherently data-driven solution, machine learning (ML) models can aggregate and process vast amounts of data, such as clinical files and financial records. With the growing application of ML-based solutions in privacy-sensitive domains such as healthcare, the potential privacy &hellip; <a href=\"https:\/\/blogs.ubc.ca\/dependablesystemslab\/projects\/membership-inference-attacks-in-machine-learning-models\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":86449,"featured_media":0,"parent":5067,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-5977","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/pages\/5977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/users\/86449"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/comments?post=5977"}],"version-history":[{"count":12,"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/pages\/5977\/revisions"}],"predecessor-version":[{"id":5997,"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/pages\/5977\/revisions\/5997"}],"up":[{"embeddable":true,"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/pages\/5067"}],"wp:attachment":[{"href":"https:\/\/blogs.ubc.ca\/dependablesystemslab\/wp-json\/wp\/v2\/media?parent=5977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}