• Corpus ID: 231802143

ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models

@article{Liu2021MLDoctorHR,
  title={ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models},
  author={Yugeng Liu and Rui Wen and Xinlei He and A. Salem and Zhikun Zhang and Michael Backes and Emiliano De Cristofaro and Mario Fritz and Yang Zhang},
  journal={ArXiv},
  year={2021},
  volume={abs/2102.02551}
}
Inference attacks against Machine Learning (ML) models allow adversaries to learn information about training data, model parameters, etc. While researchers have studied these attacks thoroughly, they have done so in isolation. We lack a comprehensive picture of the risks caused by the attacks, such as the different scenarios they can be applied to, the common factors that influence their performance, the relationship among them, or the effectiveness of defense techniques. In this paper, we fill… 
Property Inference Attacks Against GANs
TLDR
This paper proposes the first set of training dataset property inference attacks against GANs and proposes a general attack pipeline that can be tailored to two attack scenarios, including the full black-box setting and partial black- box setting and a novel optimization framework to increase the attack efficacy.
Dataset correlation inference attacks against machine learning models
TLDR
This work bridges the gap between what can be considered a global leakage about the training dataset and invididual-level leakages and proposes a new attack against ML models: a dataset correlation inference attack, where an attacker’s goal is to infer the correlation between input variables of a model.
Property Unlearning: A Defense Strategy Against Property Inference Attacks
TLDR
This paper introduces property unlearning, an effective defense mechanism against white-box property inference attacks, independent of the training data type, model task, or number of properties, and empirically evaluates this mechanism on three different data sets.
Membership Inference Attacks on Machine Learning: A Survey
TLDR
This paper provides the taxonomies for both attacks and defenses, based on their characterizations, and discusses their pros and cons, and point out several promising future research directions to inspire the researchers who wish to follow this area.
Dynamic Backdoor Attacks Against Machine Learning Models
TLDR
These techniques can bypass current state-of-the-art defense mechanisms against backdoor attacks, including Neural Cleanse, ABS, and STRIP, and are the first two schemes that algorithmically generate triggers, which rely on a novel generative network.
Membership Inference Attacks From First Principles
TLDR
A Likelihood Ratio Attack (LiRA) is developed that is 10 × more powerful at low false-positive rates, and also strictly dominates prior attacks on existing metrics.
Additive Logistic Mechanism for Privacy-Preserving Self-Supervised Learning
TLDR
A post-training privacy-protection algorithm that adds noise to the neural network’s weights and a novel differential privacy mechanism that samples noise from the logistic distribution is designed.
Model Stealing Attacks Against Inductive Graph Neural Networks
TLDR
This paper systematically defines the threat model and proposes six attacks based on the adversary’s background knowledge and the responses of the target models, showing that the proposed model stealing attacks against GNNs achieve promising performance.
When Machine Unlearning Jeopardizes Privacy
TLDR
This paper proposes a novel membership inference attack that leverages the different outputs of an ML model's two versions to infer whether a target sample is part of the training set of the original model but out of theTraining set of a corresponding unlearned model.
Honest-but-Curious Nets: Sensitive Attributes of Private Inputs Can Be Secretly Coded into the Classifiers' Outputs
TLDR
This work highlights a vulnerability that can be exploited by malicious machine learning service providers to attack their user's privacy in several seemingly safe scenarios; such as encrypted inferences, computations at the edge, or private knowledge distillation.
...
...

References

SHOWING 1-10 OF 80 REFERENCES
Label-Leaks: Membership Inference Attack with Label
TLDR
A systematic investigation of membership inference attack when the target model only provides the predicted label, which focuses on two adversarial settings and proposes different attacks, namely transfer-based attack and perturbation based attack.
Systematic Evaluation of Privacy Risks of Machine Learning Models
TLDR
This paper proposes to benchmark membership inference privacy risks by improving existing non-neural network based inference attacks and proposing a new inference attack method based on a modification of prediction entropy, and introduces a new approach for fine-grained privacy analysis by formulating and deriving a new metric called the privacy risk score.
Membership Inference Attacks Against Machine Learning Models
TLDR
This work quantitatively investigates how machine learning models leak information about the individual data records on which they were trained and empirically evaluates the inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon.
ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models
TLDR
This most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains and proposes the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.
Membership Leakage in Label-Only Exposures
TLDR
This paper proposes decision-based membership inference attacks and develops two types of attacks, namely transfer attack and boundary attack, which can achieve remarkable performance and outperform the previous score-based attacks in some cases.
GAN-Leaks: A Taxonomy of Membership Inference Attacks against Generative Models
TLDR
This paper presents the first taxonomy of membership inference attacks, encompassing not only existing attacks but also the novel ones, and proposes the first generic attack model that can be instantiated in a large range of settings and is applicable to various kinds of deep generative models.
Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models
TLDR
This work motivates the use of GANs since they prove less vulnerable against information leakage attacks while producing detailed samples, and envision the two attacks in combination with the membership inference attack type formalization as especially useful.
Machine Learning with Membership Privacy using Adversarial Regularization
TLDR
It is shown that the min-max strategy can mitigate the risks of membership inference attacks (near random guess), and can achieve this with a negligible drop in the model's prediction accuracy (less than 4%).
Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures
TLDR
A new class of model inversion attack is developed that exploits confidence values revealed along with predictions and is able to estimate whether a respondent in a lifestyle survey admitted to cheating on their significant other and recover recognizable images of people's faces given only their name.
The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks
TLDR
It is theoretically prove that a model's predictive power and its vulnerability to inversion attacks are indeed two sides of the same coin, and highly predictive models are able to establish a strong correlation between features and labels, which coincides exactly with what an adversary exploits to mount the attacks.
...
...