Research On Membership Inference Attacks And Protections Of Training Data In Machine Learning

With the recent growth in computing power and improvement in algorithms,machine learning(ML)has been successful and widely applied in many fields,such as image recognition,natural language translation,and online advertising.Driven by the success of ML,increasing companies and organizations integrate ML components into their services and products to improve the quality and effectiveness of service.However,recent works have demonstrated that ML models are vulnerable to various security and privacy attacks,which pose a leakage threat to users' privacy.Therefore,how to preserve the user privacy of ML models has attracted the attention of the research and industry fields.Although training data of ML models confront many threats of privacy and security,this dissertation focuses on a fundamental question known as membership inference attacks:given an ML model and a data record,determine whether this record was used to train this model or not.There are a lot of works of membership inference attacks and protections that has been proposed,but these works still face many shortcomings:(1)Existing membership inference attacks only reveal the leakage risk of the membership privacy of training data with the information about the target model and its training data.However,the leakage risk of membership privacy is not clear when there is no information about the target model or even only the black-box access to the target model.(2)Existing works of membership inference protections need to modify the structure and the training process of the protected ML model,or add random noise to the prediction of the model.As a consequence,these protections will affect the usability of the model severely.(3)Existing works of intellectual property protection in ML can not authenticate the ownership of the training data,which leads to the threats to the security of training data ownership.To solve the above problems,this dissertation concentrates on the risk of training data privacy leakage in ML models and researches from the perspectives of the membership inference attack,membership inference defense,and ownership authentication of the training data.Specifically,the main works and innovations of this dissertation are summarized as follows:1.To solve the problem of the strict prior information dependence on the existing membership inference attacks,this dissertation presents a membership inference attack that does not need information about the target model.The proposed attack shows that an ML model faces the risk of data privacy leakage even when the target model information is missing.Existing works need prior knowledge about the target ML model and its training data to construct a shadow model which can imitate the prediction behavior of the target model,and then extract the prediction behavior difference between the training data and testing data to perform the inference attack.However,the information about the target ML model is difficult to obtain in practice.It is difficult to construct the shadow model and provide the required data to perform inference attacks.To this end,a membership inference attack based on the prior information of training data is proposed in this dissertation.The proposed attack leverages the training data information and the adversarial learning technology to construct a mimic model that can imitate the prediction behavior of the target model and then uses the mimic model's prediction to perform the inference attack.This attack breaks the barriers of the algorithm and structure of the target model and realizes a universal attack against different types of ML models.This work illustrated that even without the information about the target model,ML models still confront the serious risk of data privacy leakage.2.This dissertation further proposes a novel membership inference attack that merely requires the black-box prediction interface of the target ML model,and this attack reveals that the black-box ML models deployed in practice still suffer the risk of data privacy leakage.Existing membership inference attacks usually use the prediction of the target model.However,when the target model is deployed as a black-box,it is hard to obtain the prediction differences between the training and testing data.To address this issue,this dissertation studies the relationship between the gradient of the target model and the membership property of the data,and then leverages the gradient of a data record with respect to the target model to perform the inference attack.Specifically,this attack first constructs a local linear model around the given data record to approximate the prediction behavior of the target ML model,and then derive the gradient approximately of a given record.Then through comparing the approximate gradient difference between the training data and the testing data,this attack can determine whether the given record was used to train the black-box ML model.This attack requires neither the information about the target model nor its training data.3.For the problem that the existing defense methods of membership inference attacks usually affect the usability of ML models,this dissertation proposes a defense based on the feature selection and confusion of the training data,in order to achieve a balance between the strength of data privacy protection and the usability of the ML model.Existing works generally use the prediction of ML models to perform membership inference attacks,therefore most defense methods modify the model structure or the model outputs,which greatly affects the availability of the ML model.To address this issue,this dissertation proposes a membership inference defense that can directly be deployed in the training data.From the perspective of reducing the prediction difference between different data of ML models,the proposed defense alleviates the difference of model prediction results caused by different feature values through selecting the features that have a significant influence on the prediction behavior of ML models and then clustering the values of the selected features.With elaborated design on modifying the values of vital features in the data which the ML model trains on,the proposed defense can thus reduce the differences between the model's outcomes of training data and testing data,thereby protecting the training data in effect while keeping the model's accuracy stable.The defense is deployed on the training data and requires no modification of the ML model,which make it can be deployed in various ML models.4.For the problem of ownership protection of the training data in ML,this dissertation designs an authentication approach based on membership inference attacks,which can protect the legitimate rights and interests of training data owners.Existing works of intellectual property protection in ML mainly focus on the verification of model ownership and trainer identification.Unlike these works,this dissertation concentrates on the authentication of the training data ownership.This approach leverages membership inference technology to extract the membership fingerprints for the protected dataset and then verifies the membership property of the fingerprints to protect the given data's ownership.This dissertation shows for the first time how membership inference technology can be adopted to construct the fingerprint of the protected data,which can be used to reveal the relationship between the data we protect and the given ML model.The proposed approach does not make any modifications to the protected data,nor require any information of the suspect model except for its prediction interface.Besides,the authentication approach can be used to verify the ownership of an ML model from the perspective of the training data verification.