Please use this identifier to cite or link to this item:
https://doi.org/10.1145/3243734.3243855
Title: | Machine Learning with Membership Privacy using Adversarial Regularization | Authors: | Nasr, Milad Shokri, Reza Houmansadr, Amir |
Keywords: | Science & Technology Technology Computer Science, Theory & Methods Engineering, Electrical & Electronic Computer Science Engineering Data privacy Machine learning Inference attacks Membership privacy Indistinguishability Min-max game Adversarial process |
Issue Date: | 1-Jan-2018 | Publisher: | ASSOC COMPUTING MACHINERY | Citation: | Nasr, Milad, Shokri, Reza, Houmansadr, Amir (2018-01-01). Machine Learning with Membership Privacy using Adversarial Regularization. ACM SIGSAC Conference on Computer and Communications Security (CCS) abs/1807.05852 : 634-646. ScholarBank@NUS Repository. https://doi.org/10.1145/3243734.3243855 | Abstract: | Machine learning models leak information about the datasets on which they are trained. An adversary can build an algorithm to trace the individual members of a model's training dataset. As a fundamental inference attack, he aims to distinguish between data points that were part of the model's training set and any other data points from the same distribution. This is known as the tracing (and also membership inference) attack. In this paper, we focus on such attacks against black-box models, where the adversary can only observe the output of the model, but not its parameters. This is the current setting of machine learning as a service in the Internet. We introduce a privacy mechanism to train machine learning models that provably achieve membership privacy: the model's predictions on its training data are indistinguishable from its predictions on other data points from the same distribution. We design a strategic mechanism where the privacy mechanism anticipates the membership inference attacks. The objective is to train a model such that not only does it have the minimum prediction error (high utility), but also it is the most robust model against its corresponding strongest inference attack (high privacy). We formalize this as a min-max game optimization problem, and design an adversarial training algorithm that minimizes the classification loss of the model as well as the maximum gain of the membership inference attack against it. This strategy, which guarantees membership privacy (as prediction indistinguishability), acts also as a strong regularizer and significantly generalizes the model. We evaluate our privacy mechanism on deep neural networks using different benchmark datasets. We show that our min-max strategy can mitigate the risk of membership inference attacks (close to the random guess) with a negligible cost in terms of the classification error. | Source Title: | ACM SIGSAC Conference on Computer and Communications Security (CCS) | URI: | https://scholarbank.nus.edu.sg/handle/10635/172810 | ISBN: | 9781450356930 | DOI: | 10.1145/3243734.3243855 |
Appears in Collections: | Staff Publications Elements |
Show full item record
Files in This Item:
File | Description | Size | Format | Access Settings | Version | |
---|---|---|---|---|---|---|
Shokri-CCS2018(1).pdf | Published version | 1.04 MB | Adobe PDF | CLOSED | Published | |
1807.05852v1.pdf | Submitted version | 684.86 kB | Adobe PDF | OPEN | Pre-print | View/Download |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.