NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples

Proceedings of the ACM Web Conference 2023 Pub Date : 2023-04-30 DOI:10.1145/3543507.3583224

Xueluan Gong, Ziyao Wang, Yanjiao Chen, Qianqian Wang, Cong Wang, Chao Shen

{"title":"NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples","authors":"Xueluan Gong, Ziyao Wang, Yanjiao Chen, Qianqian Wang, Cong Wang, Chao Shen","doi":"10.1145/3543507.3583224","DOIUrl":null,"url":null,"abstract":"Recently more and more cloud service providers (e.g., Microsoft, Google, and Amazon) have commercialized their well-trained deep learning models by providing limited access via web API interfaces. However, it is shown that these APIs are susceptible to model inversion attacks, where attackers can recover the training data with high fidelity, which may cause serious privacy leakage.Existing defenses against model inversion attacks, however, hinder the model performance and are ineffective for more advanced attacks, e.g., Mirror [4]. In this paper, we proposed NetGuard, a novel utility-aware defense methodology against model inversion attacks (MIAs). Unlike previous works that perturb prediction outputs of the victim model, we propose to mislead the MIA effort by inserting engineered fake samples during the training process. A generative adversarial network (GAN) is carefully built to construct fake training samples to mislead the attack model without degrading the performance of the victim model. Besides, we adopt continual learning to further improve the utility of the victim model. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets show that NetGuard is superior to existing defenses, including DP [37] and Ad-mi [32] on state-of-the-art model inversion attacks, i.e., DMI [8], Mirror [4], Privacy [12], and Alignment [34].","PeriodicalId":296351,"journal":{"name":"Proceedings of the ACM Web Conference 2023","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ACM Web Conference 2023","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3543507.3583224","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Recently more and more cloud service providers (e.g., Microsoft, Google, and Amazon) have commercialized their well-trained deep learning models by providing limited access via web API interfaces. However, it is shown that these APIs are susceptible to model inversion attacks, where attackers can recover the training data with high fidelity, which may cause serious privacy leakage.Existing defenses against model inversion attacks, however, hinder the model performance and are ineffective for more advanced attacks, e.g., Mirror [4]. In this paper, we proposed NetGuard, a novel utility-aware defense methodology against model inversion attacks (MIAs). Unlike previous works that perturb prediction outputs of the victim model, we propose to mislead the MIA effort by inserting engineered fake samples during the training process. A generative adversarial network (GAN) is carefully built to construct fake training samples to mislead the attack model without degrading the performance of the victim model. Besides, we adopt continual learning to further improve the utility of the victim model. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets show that NetGuard is superior to existing defenses, including DP [37] and Ad-mi [32] on state-of-the-art model inversion attacks, i.e., DMI [8], Mirror [4], Privacy [12], and Alignment [34].

查看原文本刊更多论文

NetGuard:使用gan生成的假样本保护商业Web api免受模型反转攻击

最近，越来越多的云服务提供商(如微软、谷歌和亚马逊)通过提供通过web API接口的有限访问，将他们训练有素的深度学习模型商业化。然而，研究表明这些api容易受到模型反转攻击，攻击者可以高保真地恢复训练数据，这可能会造成严重的隐私泄露。然而，现有的针对模型反转攻击的防御会阻碍模型的性能，并且对更高级的攻击无效，例如Mirror[4]。在本文中，我们提出了NetGuard，一种针对模型反转攻击(mia)的新型实用感知防御方法。与之前扰乱受害者模型预测输出的工作不同，我们建议通过在训练过程中插入工程假样本来误导MIA的努力。在不降低受害者模型性能的前提下，精心构建生成式对抗网络(GAN)来构造虚假的训练样本来误导攻击模型。此外，我们采用持续学习的方法进一步提高受害者模型的实用性。在CelebA、VGG-Face和VGG-Face2数据集上进行的大量实验表明，NetGuard在最先进的模型反转攻击(即DMI[8]、Mirror[4]、Privacy[12]和Alignment[34])上优于现有的防御措施，包括DP[37]和Ad-mi[32]。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the ACM Web Conference 2023

自引率

0.00%

发文量