Please use this identifier to cite or link to this item: https://doi.org/10.1145/3243734.3243855
Title: Machine Learning with Membership Privacy using Adversarial Regularization
Authors: Nasr, Milad
Shokri, Reza 
Houmansadr, Amir
Keywords: Science & Technology
Technology
Computer Science, Theory & Methods
Engineering, Electrical & Electronic
Computer Science
Engineering
Data privacy
Machine learning
Inference attacks
Membership privacy
Indistinguishability
Min-max game
Adversarial process
Issue Date: 1-Jan-2018
Publisher: ASSOC COMPUTING MACHINERY
Citation: Nasr, Milad, Shokri, Reza, Houmansadr, Amir (2018-01-01). Machine Learning with Membership Privacy using Adversarial Regularization. ACM SIGSAC Conference on Computer and Communications Security (CCS) abs/1807.05852 : 634-646. ScholarBank@NUS Repository. https://doi.org/10.1145/3243734.3243855
Abstract: Machine learning models leak information about the datasets on which they are trained. An adversary can build an algorithm to trace the individual members of a model's training dataset. As a fundamental inference attack, he aims to distinguish between data points that were part of the model's training set and any other data points from the same distribution. This is known as the tracing (and also membership inference) attack. In this paper, we focus on such attacks against black-box models, where the adversary can only observe the output of the model, but not its parameters. This is the current setting of machine learning as a service in the Internet. We introduce a privacy mechanism to train machine learning models that provably achieve membership privacy: the model's predictions on its training data are indistinguishable from its predictions on other data points from the same distribution. We design a strategic mechanism where the privacy mechanism anticipates the membership inference attacks. The objective is to train a model such that not only does it have the minimum prediction error (high utility), but also it is the most robust model against its corresponding strongest inference attack (high privacy). We formalize this as a min-max game optimization problem, and design an adversarial training algorithm that minimizes the classification loss of the model as well as the maximum gain of the membership inference attack against it. This strategy, which guarantees membership privacy (as prediction indistinguishability), acts also as a strong regularizer and significantly generalizes the model. We evaluate our privacy mechanism on deep neural networks using different benchmark datasets. We show that our min-max strategy can mitigate the risk of membership inference attacks (close to the random guess) with a negligible cost in terms of the classification error.
Source Title: ACM SIGSAC Conference on Computer and Communications Security (CCS)
URI: https://scholarbank.nus.edu.sg/handle/10635/172810
ISBN: 9781450356930
DOI: 10.1145/3243734.3243855
Appears in Collections:Staff Publications
Elements

Show full item record
Files in This Item:
File Description SizeFormatAccess SettingsVersion 
Shokri-CCS2018(1).pdfPublished version1.04 MBAdobe PDF

CLOSED

Published
1807.05852v1.pdfSubmitted version684.86 kBAdobe PDF

OPEN

Pre-printView/Download

Google ScholarTM

Check

Altmetric


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.