基于多路冗余神经元的主动成员推理攻击方法

Active Membership Inference Attack Method Based on Multiple Redundant Neurons

联邦学习通过交换模型参数或梯度信息来提供对原始数据的隐私保障,但其仍然存在隐私泄露的问题,如成员推理攻击旨在推断目标数据样本是否被用于联邦学习中训练机器学习模型。针对联邦学习中现有基于模型参数构造的主动成员推理攻击对随机失活等操作鲁棒性较差的问题,提出了一种基于多路冗余神经元的主动成员推理攻击方法,利用ReLU激活函数输入为负、输出为0的特性,根据待推理目标数据构造模型参数,通过观察成员数据与非成员数据在模型参数更新上的差异进行成员推断,并利用模型神经元的冗余特性构建多个通路实现对随机失活的鲁棒性。在MNIST,CIFAR10以及CIFAR100数据集上的实验证明了该方法的有效性,在引入随机失活的情况下,所提方法仍然能够达到100%的准确率。

Federated learning provides privacy protection for source data by exchanging model parameters or gradients.However,it still faces the problem of privacy disclosure.For example,membership inference attack can infer whether the target data samples are used to train machine learning models in federated learning.Aiming at the problem that the existing active membership inference attack based on model parameter construction in federated learning are less robust to dropout operations,an active membership inference attack method is proposed.This method makes use of the characteristic that the input of ReLU activation function is negative and the output is zero,constructs model parameters according to the target data,and inferences membership through the difference between member data and non-member data in updating model parameters.The redundancy of model neurons is used to construct multiple paths to achieve robustness to dropout.Experiments on MNIST,CIFAR10 and CIFAR100 datasets proves the effectiveness of our method.When dropout is used in model training,the proposed method can still achieve an accuracy of 100%.