Overfitting, robustness, and malicious algorithms: A study of potential causes of privacy risk in machine learning

J. Comput. Secur. Pub Date : 2020-02-04 DOI:10.3233/jcs-191362

Samuel Yeom, Irene Giacomelli, Alan Menaged, Matt Fredrikson, S. Jha

{"title":"Overfitting, robustness, and malicious algorithms: A study of potential causes of privacy risk in machine learning","authors":"Samuel Yeom, Irene Giacomelli, Alan Menaged, Matt Fredrikson, S. Jha","doi":"10.3233/jcs-191362","DOIUrl":null,"url":null,"abstract":". Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak speciﬁc private information in the training data to an attacker, either through the models’ structure or their observable behavior. This article examines the factors that can allow a training set membership inference attacker or an attribute inference attacker to learn such information. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We ﬁnd that overﬁtting is sufﬁcient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its inﬂuence, attribute inference attacks. We also explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks. We show that overﬁtting is not necessary for these attacks, demonstrating that other factors, such as robustness to norm-bounded input perturbations and malicious training algorithms, can also signiﬁcantly increase the privacy risk. Notably, as robustness is intended to be a defense against attacks on the integrity of model predictions, these results suggest it may be difﬁcult in some cases to simultaneously defend against privacy and integrity attacks.","PeriodicalId":142580,"journal":{"name":"J. Comput. Secur.","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-02-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"25","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"J. Comput. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3233/jcs-191362","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 25

Abstract

. Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak speciﬁc private information in the training data to an attacker, either through the models’ structure or their observable behavior. This article examines the factors that can allow a training set membership inference attacker or an attribute inference attacker to learn such information. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We ﬁnd that overﬁtting is sufﬁcient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its inﬂuence, attribute inference attacks. We also explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks. We show that overﬁtting is not necessary for these attacks, demonstrating that other factors, such as robustness to norm-bounded input perturbations and malicious training algorithms, can also signiﬁcantly increase the privacy risk. Notably, as robustness is intended to be a defense against attacks on the integrity of model predictions, these results suggest it may be difﬁcult in some cases to simultaneously defend against privacy and integrity attacks.

查看原文本刊更多论文

过拟合、鲁棒性和恶意算法:机器学习中隐私风险潜在原因的研究

．当机器学习算法应用于敏感数据时，对隐私构成了明显的威胁。越来越多的先前工作表明，由这些算法产生的模型可能会通过模型的结构或其可观察的行为将训练数据中的特定私人信息泄露给攻击者。本文研究了允许训练集成员推理攻击者或属性推理攻击者学习此类信息的因素。使用正式和实证分析，我们说明了这些因素与几种流行的机器学习算法中出现的隐私风险之间的明确关系。我们发现，过拟合足以允许攻击者进行隶属度推理，当目标属性满足其影响的一定条件时，进行属性推理攻击。我们还探讨了隶属推理和属性推理之间的联系，表明两者之间存在深刻的联系，导致有效的新攻击。我们表明过拟合对于这些攻击是不必要的，这表明其他因素，如对范数有界输入扰动的鲁棒性和恶意训练算法，也会显著增加隐私风险。值得注意的是，由于鲁棒性旨在防御对模型预测完整性的攻击，这些结果表明，在某些情况下，同时防御隐私和完整性攻击可能很困难。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

J. Comput. Secur.

自引率

0.00%

发文量