Research On Membership Inference Attack Defense On Mixup

Membership Inference Attacks(MIAs),which aim at inferring whether a given sample is in the training dataset of a target model,and is considered as an essential data privacy protection issue attracting much attention over the past few years.It is commonly believed that there exists a fundamental association between overfitting of models and MIAs.The trade-off between membership privacy and model utility has been shown to vary among recent studies investigating defense mechanisms against membership inference attacks.For example,current methods are designed by adding noise or perturbation to reduce the harmful effects of membership inference attacks.Unfortunately,strong perturbations will lead to a significant reduction in model utility.There are also other approaches that deploy synthetic samples instead of original samples to defend against membership inference attacks,for example,GAN-based methods and knowledge distillation-based methods.However,they only obtain a fixed result rather than an asymptotic result in the trade-off between model utility and member privacy.We attempt to present an asymptotic result of the trade-off between utility and security by proposing a novel defense mechanism that can largely preserve the model utility or only gradually decrease with the utility,aiming to strike a balance between utility and security.Therefore,the most serious challenge in defending against membership inference attacks is that it is difficult to deal with the trade-off between the actual utility of the model and the security of membership privacy.Mixup augmentation technique is widely used to reduce overfitting to improve the utility of models,and we find that it may also have a positive impact on mitigating the privacy risks of membership inference attacks.The original Mixup algorithm performs linear interpolation only once for a given pair of input data.A natural question then arises: Does Mixup more times continue to improve model utility? Is it possible to further reduce member risk while improving utility? To answer these questions,our work proposes multiple mixup.We mainly explored the following:Firstly,our work is the first to use the mixed sample technique alone to defend against membership inference attacks without adding other auxiliary techniques.We perform multiple mixtures in the feature space,and use the sigmoid function to correct the labels of the multiple mixtures in the label space.Compared with traditional mixing sample data augmentation methods,our defense can not only further improve the model utility,but also reduce the member privacy risks.Secondly,we have designed a composite metric to accurately measure the trade-off between model utility and member privacy security,which can reflect the asymptotic effect of our method between the actual utility of the model and the privacy security trade-off.Thirdly,in addition to achieving a better balance between the actual utility of the model and the privacy and security of members,the advantages of our mixed-sample-based membership inference attack defense scheme are as follows: First,our method can target different security and model Utility settings are flexible to adjust and choose,rather than just a fixed value.Next,our defense is highly efficient,requiring only a modest amount of time for multiple mixing and label corrections.Finally,our defense is more practical since it does not require additional public datasets.