Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks

Journal of Information and Intelligence Pub Date : 2025-01-01 DOI:10.1016/j.jiixd.2024.06.002

Jun Niu , Peng Liu , Chunhui Huang , Yangming Zhang , Moxuan Zeng , Kuo Shen , Yangzhong Wang , Suyu An , Yulong Shen , Xiaohong Jiang , Jianfeng Ma , He Wang , Gaofei Wu , Anmin Fu , Chunjie Cao , Xiaoyan Zhu , Yuqing Zhang

{"title":"Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks","authors":"Jun Niu , Peng Liu , Chunhui Huang , Yangming Zhang , Moxuan Zeng , Kuo Shen , Yangzhong Wang , Suyu An , Yulong Shen , Xiaohong Jiang , Jianfeng Ma , He Wang , Gaofei Wu , Anmin Fu , Chunjie Cao , Xiaoyan Zhu , Yuqing Zhang","doi":"10.1016/j.jiixd.2024.06.002","DOIUrl":null,"url":null,"abstract":"<div><div>Membership inference (MI) attacks threaten user privacy through determining if a given data example has been used to train a target model. Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation. Unfortunately, using either of these two defenses alone, the defense effect can still offers an unsatisfactory trade-off between membership privacy and utility.</div><div>Given that the defense method that directly combines these two defenses is still very limited (e.g., the test accuracy of the target model is decreased by about 40% (in our experiments)), in this work, we propose a dual defense (DD) method that includes the preemptive exclusion of high-risk member samples module and the knowledge distillation module, which thwarts the access of the resulting models to the private training data twice to mitigate MI attacks. Our defense method can be divided into two steps: the preemptive exclusion of high-risk member samples (Step 1) and the knowledge distillation to obtain the protected student model (Step 2). We propose three types of exclusions: existing MI attacks-based exclusions, sample distances of members and nonmembers-based exclusions, and mutual information value-based exclusions, to preemptively exclude the high-risk member samples. During the knowledge distillation phase, we add ground-truth labeled data to the reference dataset to decrease the protected student model's dependency on soft labels, aiming to maintain or improve its test accuracy. Extensive evaluation shows that DD significantly outperforms state-of-the-art defenses and offers a better privacy-utility trade-off. For example, DD achieves ∼100% test accuracy improvement over the distillation for membership privacy (DMP) defense for ResNet50 trained on CIFAR100. DD simultaneously achieves the reductions in the attack effectiveness (e.g., the [email protected]%FPR of enhanced MI attacks decreased by 2.10% on the ImageNet dataset, the membership advantage (MA) of risk score-based attacks decreased by 56.30%) and improvements of the target models' test accuracies (e.g., by 42.80% on CIFAR100).</div></div>","PeriodicalId":100790,"journal":{"name":"Journal of Information and Intelligence","volume":"3 1","pages":"Pages 68-92"},"PeriodicalIF":0.0000,"publicationDate":"2025-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information and Intelligence","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2949715924000556","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Membership inference (MI) attacks threaten user privacy through determining if a given data example has been used to train a target model. Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation. Unfortunately, using either of these two defenses alone, the defense effect can still offers an unsatisfactory trade-off between membership privacy and utility.

Given that the defense method that directly combines these two defenses is still very limited (e.g., the test accuracy of the target model is decreased by about 40% (in our experiments)), in this work, we propose a dual defense (DD) method that includes the preemptive exclusion of high-risk member samples module and the knowledge distillation module, which thwarts the access of the resulting models to the private training data twice to mitigate MI attacks. Our defense method can be divided into two steps: the preemptive exclusion of high-risk member samples (Step 1) and the knowledge distillation to obtain the protected student model (Step 2). We propose three types of exclusions: existing MI attacks-based exclusions, sample distances of members and nonmembers-based exclusions, and mutual information value-based exclusions, to preemptively exclude the high-risk member samples. During the knowledge distillation phase, we add ground-truth labeled data to the reference dataset to decrease the protected student model's dependency on soft labels, aiming to maintain or improve its test accuracy. Extensive evaluation shows that DD significantly outperforms state-of-the-art defenses and offers a better privacy-utility trade-off. For example, DD achieves ∼100% test accuracy improvement over the distillation for membership privacy (DMP) defense for ResNet50 trained on CIFAR100. DD simultaneously achieves the reductions in the attack effectiveness (e.g., the [email protected]%FPR of enhanced MI attacks decreased by 2.10% on the ImageNet dataset, the membership advantage (MA) of risk score-based attacks decreased by 56.30%) and improvements of the target models' test accuracies (e.g., by 42.80% on CIFAR100).

查看原文本刊更多论文

双重防御：结合先发制人的成员排除和知识蒸馏来减轻成员推理攻击

成员推理（MI）攻击通过确定给定数据示例是否已用于训练目标模型来威胁用户隐私。现有的信息交换防御通过先发制人的成员排除技术和知识蒸馏来保护成员隐私。不幸的是，单独使用这两种防御中的任何一种，防御效果仍然可能在成员隐私和效用之间提供令人不满意的权衡。鉴于直接结合这两种防御的防御方法仍然非常有限（例如，目标模型的测试精度降低了约40%（在我们的实验中）），在这项工作中，我们提出了一种双重防御（DD）方法，该方法包括抢先排除高风险成员样本模块和知识蒸馏模块，该方法阻止了结果模型对私有训练数据的两次访问，以缓解MI攻击。我们的防御方法分为两步：首先是对高风险成员样本的先发制人排除（步骤1），其次是对受保护学生模型的知识提炼（步骤2）。我们提出了基于现有MI攻击的排除、基于成员和非成员样本距离的排除和基于相互信息价值的排除三种类型的排除，以先发制人地排除高风险成员样本。在知识蒸馏阶段，我们在参考数据集中添加了真实标记数据，以减少受保护学生模型对软标签的依赖，以保持或提高其测试精度。广泛的评估表明，DD显著优于最先进的防御，并提供了更好的隐私效用权衡。例如，对于在CIFAR100上训练的ResNet50， DD在成员隐私（DMP）防御的蒸馏上实现了~ 100%的测试精度提高。DD同时实现了攻击有效性的降低（例如，增强MI攻击的[email protected]%FPR在ImageNet数据集上降低了2.10%，基于风险评分的攻击的隶属度优势（MA）降低了56.30%）和目标模型测试准确性的提高（例如，在CIFAR100上提高了42.80%）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information and Intelligence

自引率

0.00%

发文量