Membership Inference Attack And Defense With Limited Sample

In the information age,data has gradually become a significant capital.To effectively extract knowledge from data,researchers have proposed various machine learning algorithms.With many applications of machine learning algorithms,their vulnerabilities have been fully exposed,causing more and more researchers are paying attention to the security issues involved in machine learning systems.For example,scholars have proposed many defense methods for membership inference attacks,but some problems are still to be solved.First of all,researchers usually assume that the attacker has intense background knowledge and available samples,which narrows the possible scenarios to a certain extent when studying the application of the attack.Secondly,the existing members infer that the attack defense mechanism is mainly heuristic,and part of the defense training process is more complicated,and most of them need to make assumptions about background knowledge.In contrast,the differential privacy mechanism has the advantages of strict mathematical proofs,and researchers have explored how to apply it to members infer the defense of the attack,but it is more based on the theoretical level.Given the above problems,this dissertation combines the latest research results to conduct an in-depth analysis of its related technologies.The main contents are as follows:(1)In view of the limitation of the attacker's acquisition of samples during the membership inference attacks,it is proposed to use the auxiliary classifier to generate the adversarial network to expand the sample,and then perform the membership inference attacks on the generated data set to reduce the attacker's attack cost and relax the application scenarios of the attack.The experimental results show that the method is feasible in the real environment when it is difficult for the attacker to obtain a large amount of background knowledge,it shows that the members infer can be performed with a minor attack cost and a more rigorous environment.(2)The differential privacy defense mechanism for membership inference attacks currently proposed is more based on the theoretical level,and has disadvantages such as complicated calculation processes and insufficient rigorous analysis of information loss.It is proposed to use the differential privacy stochastic gradient descent(DPSGD)algorithm for membership inference attacks defense.Given the complicated calculation process of its privacy measurement mechanism and insufficient analysis method,the privacy budget measurement mechanism in the DPSGD algorithm has been modified.Using a loss measurement mechanism based on zero-concentrated differential privacy,its theoretical analysis is more explicit and more rigorous.Experimental results show that this method can effectively resist member inference attacks,and can achieve a good defense effect without the need for additional computational overhead,restricted usage scenarios,and prior knowledge of the attacker.In a word,this dissertation studies the membership inference attacks from attack and defense.It verifies the effectiveness of the proposed method through experiments,laying the foundation for the follow-up work.Figure 20 table 4 reference 66...