Research On Attack And Defense Mechanism Of Membership Inference In Federated Deep Learning

Deep learning is an emerging data analysis technology.Its advantages of efficient modeling of data and automatic extraction of multi-dimensional features from massive data make deep learning widely developed and applied in various fields,providing users with intelligent and convenient services.While users enjoy the convenient life brought by these intelligent services,they also increase the risk of data privacy leakage.With the emergence of privacy leakage incidents,users are paying more attention to the protection of personal data privacy.The federated learning system does not need to share personal data directly,and has advantages such as high data privacy,high efficiency of model training,and low communication overhead.It has gradually become a hot research direction in the context of the transmission and training of massive data and the deployment of various distributed devices.With the in-depth study of federated learning systems,researchers discovery that there are many risks of data privacy leakage in federated learning system.In the federated learning system,the parameter server aggregates the model gradients uploaded by each participant and participates in the global model update.Each participant needs to upload local parameters in each iteration,and these parameters contain some private information about local training sets.Attackers can extract local training data privacy information through these parameters.In this paper,we deeply study the privacy security of federated learning systems,and propose a membership inference attack model aiming at vulnerable records for federated learning systems,which can accurately infer whether the data belongs to the training set of a participant of federated system.At the same time,a privacy defense countermeasure against this attack is proposed to protect the privacy information of participants in the training set.The main research works are as follows:1.Aiming at the vulnerability of parameter sharing protocol in federated learning systems,a member inference attack model for vulnerable records is proposed.In the parameter server of federated learning systems,the attacker takes advantage of the unique influence of vulnerable data on the model to judge whether the data is used to train the model.In the parameter server,the attacker obtains and builds a labeled data set according to the distinguishing features of the member and non-member data,and trains the attack model.In the training process of federated learning system,the attacker inputs the corresponding gradient parameters of the participant into the attack model and inferences the membership relationship of the data.Experiment results on Adult,Cancer and Mnist datasets show that the federated learning system sharing parameters protocol will leak the data privacy of participants even if the datasets are not uploaded directly.Compared with the black box attack proposed previously,our federated learning white-box attack model has achieved more accurate results in inferring the membership information of the three datasets.Using precision-recall rate to evaluate the performance of the attack model,our attack model has better performance for the classification problem of membership inference attacks.2.In terms of the participant training set attack of federated learning systems,a privacy protection scheme combining Generative Adversarial Networks(GAN)data generation with differential privacy is proposed.This method first considers that the special data in the dataset is vulnerable to membership inference attack,so GAN is used to generate data,making these data not easy to be used by the attacker.Meanwhile,for a participant who wants to protect data privacy in the federated learning system,we use GAN to generate the data of other participants in the model training procedure by taking advantage of the parameter sharing characteristics of the federated learning system.In this way,the existence of other data will affect the attacker's attack on the training set of the participant.Finally,the differential privacy algorithm is used to add noise to the parameters uploaded by the participants,making it difficult for the attacker to judge the membership information by parameters update.The experiment evaluates the accuracy of the model in each dataset using our privacy protection scheme.We also assessed the attack model accuracy under the privacy protection scheme,experiment results show that under the same privacy budget,compared with the privacy of the directly using differential privacy,our method can better defense the attacker.When we need to achieve certain attack defense effect,our defense scheme needs to add less noise,and the federated learning model has better performance.