Abstract
Image classification, facial recognition, health care and graph data analysis are just a few of the areas where machine learning (ML) models were widely applied. Recent research has revealed that ML models are subject to membership inference attacks (MIAs), which attempt to determine whether or not a data record was used to train a target model. The success of MIAs is due to the data leakage during the training phase. Differential Privacy (DP) has been applied in ML to restrict inference of training samples. That’s why in our experimentation, we try to mitigate the impact of MIAs using Differentially Private Stochastic Gradient Descent (DP-SGD) algorithm based on modifying the minibatch stochastic optimization process and adding noise in order to provide a way to get useful information about data without revealing much about any individual information. In this paper, we evaluate DP-SGD as a countermeasure against MIAs on Conventional Neural Networks (CNN) training over MNIST dataset. We consider different combinations of DP-SGD’s noise multiplier and clipping norm parameters in our evaluation. Through experimental analysis, we show that this defense strategy can mitigate the impact of MIAs on the target model while guaranteeing the accuracy of the target model. Evaluation results reveal that our suggested solution for safeguarding privacy against MIA is successful.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
He, Y., Meng, G., Chen, K., Hu, X., He, J.: Towards security threats of deep learning systems: a survey. arXiv:1911.12562 [cs], October 2020
Papernot, N., Mcdaniel, P., Sinha, A., Wellman, M.: SoK: towards the Science of security and privacy in machine learning, p. 20 (2016)
Liu, Q., Li, P., Zhao, W., Cai, W., Yu, S., Leung, V.C.M.: A survey on security threats and defensive techniques of machine learning: a data driven view. IEEE Access 6, 12103–12117 (2018). https://doi.org/10.1109/ACCESS.2018.2805680
Hu, H., Salcic, Z., Sun, L., Dobbie, G., Yu, P.S., Zhang, X.: Membership inference attacks on machine learning: a survey. arXiv:2103.07853 [cs], November 2021
Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. arXiv:1610.05820 [cs, stat], March 2017
Yeom, S., Giacomelli, I., Menaged, A., Fredrikson, M., Jha, S.: Overfitting, robustness, and malicious algorithms: a study of potential causes of privacy risk in machine learning. JCS 28(1), 35–70 (2020). https://doi.org/10.3233/JCS-191362
Carlini, N., Chien, S., Nasr, M., Song, S., Terzis, A., Tramer, F.: Membership inference attacks from first principles. arXiv:2112.03570 [cs], December 2021
Nasr, M., Shokri, R., Houmansadr, A.: Machine learning with membership privacy using adversarial regularization. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, pp. 634–646, October 2018. https://doi.org/10.1145/3243734.3243855
Salem, A., Zhang, Y., Humbert, M., Berrang, P., Fritz, M., Backes, M.: ML-leaks: model and data independent membership inference attacks and defenses on machine learning models. arXiv:1806.01246 [cs], December 2018
Song, L., Shokri, R., Mittal, P.: Privacy risks of securing machine learning models against adversarial examples. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 241–257, November 2019. https://doi.org/10.1145/3319535.3354211
Yeom, S., Giacomelli, I., Fredrikson, M., Jha, S.: Privacy risk in machine learning: analyzing the connection to overfitting. arXiv:1709.01604 [cs, stat], May 2018
Ying, X.: An overview of overfitting and its solutions. J. Phys. Conf. Ser. 1168, 022022, February 2019. https://doi.org/10.1088/1742-6596/1168/2/022022
Truex, S., Liu, L., Gursoy, M.E., Yu, L., Wei, W.: Towards demystifying membership inference attacks. arXiv:1807.09173 [cs], February 2019
Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, Part II, vol. 4052, pp. 1–12. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_1
Chen, J., Wang, W.H., Shi, X.: Differential privacy protection against membership inference attack on machine learning for genomic data. In: Proceedings of the Pacific Symposium Biocomputing, vol. 26, pp. 26–37 (2021)
Abadi, M., et al.: Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 308–318, October 2016. https://doi.org/10.1145/2976749.2978318
Du, J., Li, S., Feng, M., Chen, S.: Dynamic differential-privacy preserving SGD (2021)
Yann, L., Corinna, C., Christopher, J.C.B.: MNIST handwritten digit database, Yann LeCun, Corinna Cortes and Chris Burges. http://yann.lecun.com/exdb/mnist/
TensorFlow Privacy. Tensorflow (2022). https://github.com/tensorflow/privacy. Accessed 8 Mar 2022
Fawcett, T.: ROC graphs: notes and practical considerations for researchers. Mach. Learn. 31, 1–38 (2004)
Li, J., Li, N., Ribeiro, B.: Membership inference attacks and defenses in classification models. In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, New York, NY, USA, pp. 5–16 (2021). https://doi.org/10.1145/3422337.3447836
Choquette-Choo, C.A., Tramer, F., Carlini, N., Papernot, N.: Label-only membership inference attacks. In: Proceedings of the 38th International Conference on Machine Learning, pp. 1964–1974, July 2021
Jia, J., Salem, A., Backes, M., Zhang, Y., Gong, N.Z.: MemGuard: defending against black-box membership inference attacks via adversarial examples. arXiv:1909.10594 [cs], December 2019
Yang, Z., Shao, B., Xuan, B., Chang, E.-C., Zhang, F.: Defending model inversion and membership inference attacks via prediction purification. arXiv:2005.03915 [cs], August 2020
Hanzlik, L., et al.: MLCapsule: guarded offline deployment of machine learning as a service, pp. 3300–3309 (2021)
Ben Hamida, S., Mrabet, H., Belguith, S., Alhomoud, A., Jemai, A.: Towards securing machine learning models against membership inference attacks. Comput. Mater. Continua (2021)
Kaya, Y., Dumitras, T.: When does data augmentation help with membership inference attacks?. In: Proceedings of the 38th International Conference on Machine Learning, pp. 5345–5355, July 2021
Yu, D., Zhang, H., Chen, W., Yin, J., Liu, T.-Y.: How does data augmentation affect privacy in machine learning? (2021)
Hayes, J., Melis, L., Danezis, G., De Cristofaro, E.: LOGAN: membership inference attacks against generative models. In: Proceedings on Privacy Enhancing Technologies, vol. 2019, no 1, pp. 133–152, January 2019. https://doi.org/10.2478/popets-2019-0008
Leino, K., Fredrikson, M.: Stolen memories: leveraging model memorization for calibrated {white-box} membership inference, pp. 1605–1622 (2020)
Saeidian, S., Cervia, G., Oechtering, T.J., Skoglund, M.: Quantifying membership privacy via information leakage. IEEE Trans. Inf. Forensics Secur. 16, 3096–3108 (2021). https://doi.org/10.1109/TIFS.2021.3073804
Shejwalkar, V., Houmansadr, A.: Membership privacy for machine learning models through knowledge transfer | researchain. In: AAAI Conference on Artificial Intelligence, pp. 9549–9557 (2021)
Bernau, D., Robl, J., Grassal, P.W., Schneider, S., Kerschbaum, F.: Comparing local and central differential privacy using membership inference attacks. In: Barker, K., Ghazinour, K. (eds.) DBSec 2021. LNCS, vol. 12840, pp. 22–42. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81242-3_2. https://www.springerprofessional.de/en/comparing-local-and-central-differential-privacy-using-membershi/19361800
Tang, X., et al.: Mitigating membership inference attacks by self-distillation through a novel ensemble architecture. arXiv:2110.08324 [cs], October 2021. http://arxiv.org/abs/2110.08324. Consulté le: 12 mars 2022. [En ligne]. Disponible sur
Zheng, J., Cao, Y., Wang, H.: Resisting membership inference attacks through knowledge distillation. Neurocomputing 452, 114–126 (2021). https://doi.org/10.1016/j.neucom.2021.04.082
Jarin, I., Eshete, B.: DP-UTIL: comprehensive utility analysis of differential privacy in machine learning. arXiv:2112.12998 [cs], December 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ben Hamida, S., Mrabet, H., Jemai, A. (2022). How Differential Privacy Reinforces Privacy of Machine Learning Models?. In: Bădică, C., Treur, J., Benslimane, D., Hnatkowska, B., Krótkiewicz, M. (eds) Advances in Computational Collective Intelligence. ICCCI 2022. Communications in Computer and Information Science, vol 1653. Springer, Cham. https://doi.org/10.1007/978-3-031-16210-7_54
Download citation
DOI: https://doi.org/10.1007/978-3-031-16210-7_54
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-16209-1
Online ISBN: 978-3-031-16210-7
eBook Packages: Computer ScienceComputer Science (R0)