Zehua Ding , Youliang Tian , Guorong Wang , Jinbo Xiong , Jinchuan Tang , Jianfeng Ma
{"title":"Membership inference attacks via spatial projection-based relative information loss in MLaaS","authors":"Zehua Ding , Youliang Tian , Guorong Wang , Jinbo Xiong , Jinchuan Tang , Jianfeng Ma","doi":"10.1016/j.ipm.2024.103947","DOIUrl":null,"url":null,"abstract":"<div><div>Machine Learning as a Service (MLaaS) has significantly advanced data-driven decision-making and the development of intelligent applications. However, the privacy risks posed by membership inference attacks (MIAs) remain a critical concern. MIAs are primarily classified into score-based and perturbation-based attacks. The former relies on shadow data and models, which are difficult to obtain in practical applications, while the latter depends solely on perturbation distance, resulting in insufficient identification performance. To this end, we propose a Spatial Projection-based Relative Information Loss (SPRIL) MIA to ascertain the sample membership by flexibly controlling the size of perturbations in the noise space and integrating relative information loss. Firstly, we analyze the alterations in predicted probability distributions induced by adversarial perturbations and leverage these changes as pivotal features for membership identification. Secondly, we introduce a spatial projection technique that flexibly modulates the perturbation amplitude to accentuate the difference in probability distributions between member and non-member data. Thirdly, this quantifies the distribution difference by calculating relative information loss based on KL divergence to identify membership. SPRIL provides a solid method to assess the potential risks of DNN models in MLaaS and demonstrates its efficacy and precision in black-box and white-box settings. Finally, experimental results demonstrate the effectiveness of SPRIL across various datasets and model architectures. Notably, on the CIFAR-100 dataset, SPRIL achieves the highest attack accuracy and AUC, reaching 99.27% and 99.73%, respectively.</div></div>","PeriodicalId":50365,"journal":{"name":"Information Processing & Management","volume":"62 1","pages":"Article 103947"},"PeriodicalIF":7.4000,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Processing & Management","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0306457324003066","RegionNum":1,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Machine Learning as a Service (MLaaS) has significantly advanced data-driven decision-making and the development of intelligent applications. However, the privacy risks posed by membership inference attacks (MIAs) remain a critical concern. MIAs are primarily classified into score-based and perturbation-based attacks. The former relies on shadow data and models, which are difficult to obtain in practical applications, while the latter depends solely on perturbation distance, resulting in insufficient identification performance. To this end, we propose a Spatial Projection-based Relative Information Loss (SPRIL) MIA to ascertain the sample membership by flexibly controlling the size of perturbations in the noise space and integrating relative information loss. Firstly, we analyze the alterations in predicted probability distributions induced by adversarial perturbations and leverage these changes as pivotal features for membership identification. Secondly, we introduce a spatial projection technique that flexibly modulates the perturbation amplitude to accentuate the difference in probability distributions between member and non-member data. Thirdly, this quantifies the distribution difference by calculating relative information loss based on KL divergence to identify membership. SPRIL provides a solid method to assess the potential risks of DNN models in MLaaS and demonstrates its efficacy and precision in black-box and white-box settings. Finally, experimental results demonstrate the effectiveness of SPRIL across various datasets and model architectures. Notably, on the CIFAR-100 dataset, SPRIL achieves the highest attack accuracy and AUC, reaching 99.27% and 99.73%, respectively.
期刊介绍:
Information Processing and Management is dedicated to publishing cutting-edge original research at the convergence of computing and information science. Our scope encompasses theory, methods, and applications across various domains, including advertising, business, health, information science, information technology marketing, and social computing.
We aim to cater to the interests of both primary researchers and practitioners by offering an effective platform for the timely dissemination of advanced and topical issues in this interdisciplinary field. The journal places particular emphasis on original research articles, research survey articles, research method articles, and articles addressing critical applications of research. Join us in advancing knowledge and innovation at the intersection of computing and information science.