Leverage Domain Adaptation As A Defense Against Membership Inference

Deep Learning(DL)solves problems by utilizing a dataset to train a model for the problem.Despite that the performance of DL models is attractive,security issues of DL models are also exposed.Among DL model attacks,Membership Inference Attack is the one that can steal the private information of the training dataset of a DL model,such as health status or geographic position.Efforts have been put to address the threat.However,the existing defenses have flaws such as low model utility or high defense overhead.In this paper,a defense aiming to achieve the balance among effectiveness,utility,and overheads is proposed,which leverages Domain Adaptation(DA)as a defense against membership inference.However,leveraging domain adaptation to build defenses will face the following challenges:(1)Since DA is a concept,various implementations exist and they are not all appropriate to build the defense that meets the design requirement,it is necessary to determine the right implementations for our design;(2)A similar and relative dataset will be used for our design for DA training.To maximize the performance of our defense,it is necessary to design a similar and relative data generation technique.In this paper,discussions on the rationality to leverage DA have been conducted to confirm that DA is appropriate to build defenses.Besides,explorations on the implementations of DA and similar and relative datasets have been conducted to resolve challenges in our design.Afterward,the design of our defense is proposed.Finally,experiments have been conducted to evaluate the performance of our design,which indicates that:(1)Our defense shows effectiveness in defending membership inference attacks,which reduce the membership inference accuracy to nearly 50%,equivalent to a random guess.Besides,results also show the stability of our defense,which can tackle various types of attacks.(2)Comparison results show that the utility loss of our design is relatively small.Besides,the overhead of our design is minimal in the compassion.Results also show that our design achieves the best balance among effectiveness,utility,and overhead.