Membership Inference Attacks Against Incremental Learning in IoT Devices

IF 7.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Mobile Computing Pub Date : 2024-12-20 DOI:10.1109/TMC.2024.3521216

Xianglong Zhang;Huanle Zhang;Guoming Zhang;Yanni Yang;Feng Li;Lisheng Fan;Zhijian Huang;Xiuzhen Cheng;Pengfei Hu

{"title":"Membership Inference Attacks Against Incremental Learning in IoT Devices","authors":"Xianglong Zhang;Huanle Zhang;Guoming Zhang;Yanni Yang;Feng Li;Lisheng Fan;Zhijian Huang;Xiuzhen Cheng;Pengfei Hu","doi":"10.1109/TMC.2024.3521216","DOIUrl":null,"url":null,"abstract":"Internet of Things (IoT) devices are frequently deployed in highly dynamic environments and need to continuously learn new classes from data streams. Incremental Learning (IL) has gained popularity in IoT as it enables devices to learn new classes efficiently without retraining model entirely. IL involves fine-tuning the model using two sources of data: a small amount of representative samples from the original training dataset and samples from the new classes. However, both data sources are vulnerable to Membership Inference Attack (MIA). Fortunately, the existing MIAs result in poor performance against IL, because they ignore features such as the similarity between old and new models at the old classification layer. This paper presents the first MIA against IL, capable of determining not only whether a sample was used for training/fine-tuning but also distinguishing whether it belongs to the representative dataset or the new classes (unique in IL). Extensive experiments validate the effectiveness of our attack across four real-world datasets. Our attack achieves an average attack success rate of 74.03% in the white-box setting (model structure and parameters are known) and 70.08% in the black-box setting. Importantly, our attack is not sensitive to the IL hyper-parameters (e.g., distillation temperature), confirming its accurate, robust, and practical.","PeriodicalId":50389,"journal":{"name":"IEEE Transactions on Mobile Computing","volume":"24 5","pages":"4006-4021"},"PeriodicalIF":7.7000,"publicationDate":"2024-12-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Mobile Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10811834/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Internet of Things (IoT) devices are frequently deployed in highly dynamic environments and need to continuously learn new classes from data streams. Incremental Learning (IL) has gained popularity in IoT as it enables devices to learn new classes efficiently without retraining model entirely. IL involves fine-tuning the model using two sources of data: a small amount of representative samples from the original training dataset and samples from the new classes. However, both data sources are vulnerable to Membership Inference Attack (MIA). Fortunately, the existing MIAs result in poor performance against IL, because they ignore features such as the similarity between old and new models at the old classification layer. This paper presents the first MIA against IL, capable of determining not only whether a sample was used for training/fine-tuning but also distinguishing whether it belongs to the representative dataset or the new classes (unique in IL). Extensive experiments validate the effectiveness of our attack across four real-world datasets. Our attack achieves an average attack success rate of 74.03% in the white-box setting (model structure and parameters are known) and 70.08% in the black-box setting. Importantly, our attack is not sensitive to the IL hyper-parameters (e.g., distillation temperature), confirming its accurate, robust, and practical.

查看原文本刊更多论文

针对物联网设备增量学习的成员推理攻击

物联网（IoT）设备经常部署在高度动态的环境中，需要不断从数据流中学习新的类。增量学习（IL）在物联网中越来越受欢迎，因为它使设备能够有效地学习新课程，而无需完全重新训练模型。IL涉及使用两个数据源对模型进行微调：来自原始训练数据集的少量代表性样本和来自新类的样本。然而，这两个数据源都容易受到成员推理攻击（MIA）的攻击。幸运的是，现有的MIAs对IL的性能很差，因为它们忽略了旧分类层上新旧模型之间的相似性等特征。本文提出了第一个针对IL的MIA，不仅能够确定样本是否用于训练/微调，还能够区分它是属于代表性数据集还是新类（IL中唯一的）。广泛的实验验证了我们在四个真实数据集上的攻击的有效性。我们的攻击在白盒设置（模型结构和参数已知）下的平均攻击成功率为74.03%，在黑盒设置下的平均攻击成功率为70.08%。重要的是，我们的攻击对IL超参数（例如蒸馏温度）不敏感，证实了其准确性，鲁棒性和实用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Mobile Computing 工程技术-电信学

CiteScore

12.90

自引率

2.50%

发文量

403

审稿时长

6.6 months

期刊介绍： IEEE Transactions on Mobile Computing addresses key technical issues related to various aspects of mobile computing. This includes (a) architectures, (b) support services, (c) algorithm/protocol design and analysis, (d) mobile environments, (e) mobile communication systems, (f) applications, and (g) emerging technologies. Topics of interest span a wide range, covering aspects like mobile networks and hosts, mobility management, multimedia, operating system support, power management, online and mobile environments, security, scalability, reliability, and emerging technologies such as wearable computers, body area networks, and wireless sensor networks. The journal serves as a comprehensive platform for advancements in mobile computing research.