通过客户端级输入扰动加强联邦学习抵御隶属关系推理攻击

2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2023-06-01 DOI:10.1109/DSN58367.2023.00037

Yuchen Yang, Haolin Yuan, Bo Hui, N. Gong, Neil Fendley, P. Burlina, Yinzhi Cao

{"title":"通过客户端级输入扰动加强联邦学习抵御隶属关系推理攻击","authors":"Yuchen Yang, Haolin Yuan, Bo Hui, N. Gong, Neil Fendley, P. Burlina, Yinzhi Cao","doi":"10.1109/DSN58367.2023.00037","DOIUrl":null,"url":null,"abstract":"Membership inference (MI) attacks are more diverse in a Federated Learning (FL) setting, because an adversary may be either an FL client, a server, or an external attacker. Existing defenses against MI attacks rely on perturbations to either the model's output predictions or the training process. However, output perturbations are ineffective in an FL setting, because a malicious server can access the model without output perturbation while training perturbations struggle to achieve a good utility. This paper proposes a novel defense, called CIP, to fortify FL against MI attacks via a client-level input perturbation during training and inference procedures. The key insight is to shift each client's local data distribution via a personalized perturbation to get a shifted model. CIP achieves a good balance between privacy and utility. Our evaluation shows that CIP causes accuracy to drop at most 0.7% while reducing attacks to random guessing.","PeriodicalId":427725,"journal":{"name":"2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"56 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Fortifying Federated Learning against Membership Inference Attacks via Client-level Input Perturbation\",\"authors\":\"Yuchen Yang, Haolin Yuan, Bo Hui, N. Gong, Neil Fendley, P. Burlina, Yinzhi Cao\",\"doi\":\"10.1109/DSN58367.2023.00037\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Membership inference (MI) attacks are more diverse in a Federated Learning (FL) setting, because an adversary may be either an FL client, a server, or an external attacker. Existing defenses against MI attacks rely on perturbations to either the model's output predictions or the training process. However, output perturbations are ineffective in an FL setting, because a malicious server can access the model without output perturbation while training perturbations struggle to achieve a good utility. This paper proposes a novel defense, called CIP, to fortify FL against MI attacks via a client-level input perturbation during training and inference procedures. The key insight is to shift each client's local data distribution via a personalized perturbation to get a shifted model. CIP achieves a good balance between privacy and utility. Our evaluation shows that CIP causes accuracy to drop at most 0.7% while reducing attacks to random guessing.\",\"PeriodicalId\":427725,\"journal\":{\"name\":\"2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)\",\"volume\":\"56 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-06-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN58367.2023.00037\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN58367.2023.00037","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

在联邦学习(FL)设置中，成员推理(MI)攻击更加多样化，因为攻击者可能是FL客户机、服务器或外部攻击者。现有的对人工智能攻击的防御依赖于对模型输出预测或训练过程的扰动。然而，输出扰动在FL设置中是无效的，因为恶意服务器可以在没有输出扰动的情况下访问模型，而训练扰动很难实现良好的效用。本文提出了一种新的防御方法，称为CIP，在训练和推理过程中通过客户端级输入扰动来加强FL对MI攻击的防御。关键的洞察力是通过个性化的扰动来改变每个客户的本地数据分布，以获得一个转移的模型。CIP在私密性和实用性之间取得了很好的平衡。我们的评估表明，CIP导致准确率最多下降0.7%，同时减少了随机猜测的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Fortifying Federated Learning against Membership Inference Attacks via Client-level Input Perturbation

Membership inference (MI) attacks are more diverse in a Federated Learning (FL) setting, because an adversary may be either an FL client, a server, or an external attacker. Existing defenses against MI attacks rely on perturbations to either the model's output predictions or the training process. However, output perturbations are ineffective in an FL setting, because a malicious server can access the model without output perturbation while training perturbations struggle to achieve a good utility. This paper proposes a novel defense, called CIP, to fortify FL against MI attacks via a client-level input perturbation during training and inference procedures. The key insight is to shift each client's local data distribution via a personalized perturbation to get a shifted model. CIP achieves a good balance between privacy and utility. Our evaluation shows that CIP causes accuracy to drop at most 0.7% while reducing attacks to random guessing.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量