基于代理训练集的属性推理攻击防御方法

Defending against Property Inference Attacks Based on Agent Training Datasets

本文首次提出针对属性推理攻击的有效防御方法.属性推理攻击可以揭示出用于训练公开模型的原始私有数据集中的隐私属性信息.现有研究已经针对不同的机器学习算法提出了多种属性推理攻击.这些攻击很难防御,一方面原因是训练有素的模型总是会记住训练数据集中的显性和隐性全局属性,另一方面原因在于模型提供者无法事先知道哪些属性将受到攻击从而难以有针对性地进行防御.为了解决这个问题,本文提出了一种通用的隐私保护模型训练方法,名为PPMT(Privacy Preserving Model Training).它以迭代的方式工作.在每次迭代中,PPMT构建一个代理数据集,并在该数据集而不是私有数据集上训练模型.虽然每次迭代会同时导致隐私性的提升和功能性的降低,但隐私性的提升呈快速指数级,而功能性的降低则是缓慢线性的.经过多次迭代,PPMT在模型功能性的约束下最大化全局属性的隐私性,并生成最终的模型.本文选择了两种代表性的机器学习算法和三个典型的数据集来进行实验评估PPMT所训练出模型的功能性、隐私性和鲁棒性.结果显示,使用PPMT训练出的模型,在全局属性上会以不同速度朝不同方向改变,在功能性上的平均损失为1.28%,在超参数α保密的情况下被可能攻击倒推的成功率仅有22%~33%.这说明,PPMT不仅能保护私有数据集的全局属性隐私性,而且能保证模型有足够的功能性,以及面对可能攻击的鲁棒性.

tWe are the first to propose an effective defense against property inference attacks.A property inference attack reveals properties of the private training dataset from public classifiers trained on this dataset.Existing researches have proposed various property inference attacks for different machine learning algorithms.These attacks are difficult to defend against,since a welltrained model always remembers all the explicit and implicit global properties of the training dataset,and the model provider cannot know what properties will be attacked in advance.To address this problem,this paper proposes a generic privacy preserving model training method,named PPMT,which works in an iterative fashion.In each iteration,PPMT constructs a substitution dataset and trains a model on this dataset instead of the private one.Although each iteration leads to privacy increasing and utility decreasing,the privacy exhibits a fast and exponential increase,while the utility exhibits a slow and linear decrease.After several iterations,PPMT generates the final model which maximizes privacy of global properties under the constraint of model utility.This paper considers two representative machine learning algorithms and three typical datasets,and conducts experiments to evaluate the utility,privacy and robustness performance achieved by models trained by PPMT.The results show that the models trained with PPMT change at different speeds in different directions in terms of global properties,with an average loss of 1.28%in terms of utility,and the success rate of inverse by a possible attack with hyperparameterαsecrecy is only 22%to 33%.Thissuggests that PPMT not only preserves privacy of the private dataset but also ensures adequate model utility and even robust to possible attack.