基于神经网络模型的成员推理防御算法

Membership Inference Defense Algorithm Based on Neural Network Mod

【目的】针对机器学习模型在训练过程中可能泄露训练数据隐私,为成员推理攻击所利用,进而窃取用户敏感信息的问题,提出了一种基于神经网络的期望均衡优化算法(EEO).【方法】采用对抗训练并优化的策略,分为内外两层循环来实现:内层循环假设一个足够强大的对手,其目标为最大化攻击模型期望;外层循环有针对性地进行防御训练,其目标为最大化目标模型期望。利用小批量梯度下降法使内外两层循环的损失值都达到最小,从而既保证模型精度,又降低对手成员推理的能力。【结果】采用3个有代表性的图像数据集MNIST、FASHION、Face,将EEO应用于优化后的神经网络模型进行成员推理攻击实验,3个数据集的测试精度分别损失了2.2%、4.7%和3.7%,而攻击模型的精度分别下降了14.6%、16.5%和13.9%,并且已接近50%,即随机猜测。【结论】实验结果表明该算法较好地兼顾了模型的高可用性与高隐私性,尽管仍会不可避免地产生隐私泄露,但训练出的神经网络模型对成员推理攻击有很强的防御效果,且对目标模型的影响可以忽略。

【Purposes】Focusing on the issue that the machine learning model may leak the privacy of training data during training process,which could be used by membership inference attacks,and then for stealing the sensitive information of users,an Expectation Equilibrium Optimization Algorithm(EEO)based on neural network is proposed.【Methods】The algorithm adopts the strategy of adversarial training and optimization,and can be divided into two loops:the inner loop assumes a strong enough opponent,whose goal is to maximize the expectation of the attack model;The outer loop conducts defense training in a targeted manner,with the goal of maximizing the expectation of the target model.Small batch gradient descent method is used to minimize the loss value of the inner and outer loops,which not only ensures the accuracy of the model,but also reduces the reasoning ability of adversaries.【Findings】Three representative image data sets MNIST,FASHION,and Face were used,and EEO was applied to the optimized neural network model for membership inference attack experiments.The test accuracy of the three data sets lost 2.2%,4.7%,and 3.7%,respectively,while the accuracy of the attack mod-el decreased by 14.6%,16.5%,and 13.9%,respectively,and had been close to 50%,that is,random guess.【Conclusions】Experimental results show that the algorithm possesses both high availability and high privacy of the model.Although inevitable privacy leakage will still exist,the trained neural network model has a strong defense effect against membership inference attacks,and the impact on the target model can be ignored.