面向迁移学习中特征向量差异性的成员推理攻击

Membership Inference Attack for Feature Vector Difference in Transfer Learning

在以图像分类为目标任务的迁移学习场景下,针对攻击者能力和需求对应模型不一致的情况下攻击准确率较低的问题,提出面向特征向量差异性的成员推理攻击方案,构建阴影模型获取不同层次的特征向量,采用欧氏距离对不同特征向量之间的距离进行计算,提出阈值比较步骤对欧氏距离细化分类,并设计阈值选择策略。实验结果表明:在不访问教师模型的情况下,对教师模型实施成员推理攻击,所提攻击方案仍能实现较好的攻击性能。本文方案在Cats vs Dogs、Flowers102和CIFAR-100数据集上成员推理攻击准确率分别达到0.728、0.632和0.581,揭示了迁移学习场景下成员推理攻击的有效性。随着学生模型训练时冻结层数的增加,本文方案在Cats vs Dogs数据集上的攻击性能得到提升。

In the transfer learning scenario with image classification as the target task, to solve the problem of low accuracy in the case of inconsistent corresponding models of the attacker’s ability and demand, a membership inference attack scheme for feature vector difference is proposed, shadow model is constructed to help adversaries obtain feature vectors at different levels, and Euclidean distance is used to calculate the distance between different feature vectors. The threshold comparison step is proposed to classify Euclidean distance and a threshold selection strategy is also designed. Experimental results show that the proposed attack scheme can obtain great attack performance when attacking the teacher model without visiting the teacher model. The membership inference attack accuracy on Cats vs Dogs, Flowers102 and CIFAR-100 datasets achieves 0.728, 0.632 and 0.581 respectively, which reveals the effectiveness of membership inference attack in the transfer learning scenario. Moreover, with the increase of the number of frozen layers in student model training process, the attack performance of the proposed scheme on Cats vs Dogs datasets is improved.