Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training

Jiacheng Li, Ninghui Li, Bruno Ribeiro

TL;DR

A novel Membership-Invariant Subspace Training (MIST) method to defend against MI attacks, which finds that MIST outperforms other defenses while resulting in minimal reduction in testing accuracy.

Abstract

In Member Inference (MI) attacks, the adversary try to determine whether an instance is used to train a machine learning (ML) model. MI attacks are a major privacy concern when using private data to train ML models. Most MI attacks in the literature take advantage of the fact that ML models are trained to fit the training data well, and thus have very low loss on training instances. Most defenses against MI attacks therefore try to make the model fit the training data less well. Doing so, however, generally results in lower accuracy. We observe that training instances have different degrees of vulnerability to MI attacks. Most instances will have low loss even when not included in training. For these instances, the model can fit them well without concerns of MI attacks. An effective defense only needs to (possibly implicitly) identify instances that are vulnerable to MI attacks and avoids overfitting them. A major challenge is how to achieve such an effect in an efficient training process. Leveraging two distinct recent advancements in representation learning: counterfactually-invariant representations and subspace learning methods, we introduce a novel Membership-Invariant Subspace Training (MIST) method to defend against MI attacks. MIST avoids overfitting the vulnerable instances without significant impact on other instances. We have conducted extensive experimental studies, comparing MIST with various other state-of-the-art (SOTA) MI defenses against several SOTA MI attacks. We find that MIST outperforms other defenses while resulting in minimal reduction in testing accuracy.

MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training

TL;DR

A novel Membership-Invariant Subspace Training (MIST) method to defend against MI attacks, which finds that MIST outperforms other defenses while resulting in minimal reduction in testing accuracy.

Abstract

In Member Inference (MI) attacks, the adversary try to determine whether an instance is used to train a machine learning (ML) model. MI attacks are a major privacy concern when using private data to train ML models. Most MI attacks in the literature take advantage of the fact that ML models are trained to fit the training data well, and thus have very low loss on training instances. Most defenses against MI attacks therefore try to make the model fit the training data less well. Doing so, however, generally results in lower accuracy. We observe that training instances have different degrees of vulnerability to MI attacks. Most instances will have low loss even when not included in training. For these instances, the model can fit them well without concerns of MI attacks. An effective defense only needs to (possibly implicitly) identify instances that are vulnerable to MI attacks and avoids overfitting them. A major challenge is how to achieve such an effect in an efficient training process. Leveraging two distinct recent advancements in representation learning: counterfactually-invariant representations and subspace learning methods, we introduce a novel Membership-Invariant Subspace Training (MIST) method to defend against MI attacks. MIST avoids overfitting the vulnerable instances without significant impact on other instances. We have conducted extensive experimental studies, comparing MIST with various other state-of-the-art (SOTA) MI defenses against several SOTA MI attacks. We find that MIST outperforms other defenses while resulting in minimal reduction in testing accuracy.
Paper Structure (3 sections, 3 figures, 17 tables)

This paper contains 3 sections, 3 figures, 17 tables.

Table of Contents

  1. Further Related Work
  2. Additional Ablation Study
  3. Additional Experimental Details and Results

Figures (3)

  • Figure 1: The impact of mixup data augmentation on training accuracy, testing accuracy and attack effectiveness when the number of models is varied. AlexNet, CIFAR-10 and CIFAR-100 datasets.
  • Figure 2: Comparing all defenses using the highest MI attack PLR @ 0.001 FPR among all evaluated attacks. We show the results for each defense in one sub-figure. Notice that for PURCHASE, TEXAS and LOCATION datasets the mixup data augmentation is not applied.
  • Figure 3: Testing accuracy v.s. number of models for all datasets and models considered in this paper. No mixup data augmentation. The main observation is that testing accuracy can be improved by adding a few models. However, adding too many models would cost testing accuracy.