Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Investigating Privacy Attacks in the Gray-Box Setting to Enhance Collaborative Learning Schemes

Federico Mazzone, Ahmad Al Badawi, Yuriy Polyakov, Maarten Everts, Florian Hahn, Andreas Peter

TL;DR

This work studies privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model, and deploys SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks.

Abstract

The notion that collaborative machine learning can ensure privacy by just withholding the raw data is widely acknowledged to be flawed. Over the past seven years, the literature has revealed several privacy attacks that enable adversaries to extract information about a model's training dataset by exploiting access to model parameters during or after training. In this work, we study privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model. The findings of our investigation provide new insights for the development of privacy-preserving collaborative learning solutions. We deploy SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks. Our solution offers a trade-off between privacy and efficiency, which varies based on the extent and selection of the model components we choose to protect. We explore it on dense neural networks, where through extensive evaluation of diverse datasets and architectures, we uncover instances where a favorable sweet spot in the trade-off can be achieved by safeguarding only a single layer of the network. In one of such instances, our approach trains ~4 times faster compared to fully encrypted solutions, while reducing membership leakage by 17.8 times compared to plaintext solutions.

Investigating Privacy Attacks in the Gray-Box Setting to Enhance Collaborative Learning Schemes

TL;DR

This work studies privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model, and deploys SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks.

Abstract

The notion that collaborative machine learning can ensure privacy by just withholding the raw data is widely acknowledged to be flawed. Over the past seven years, the literature has revealed several privacy attacks that enable adversaries to extract information about a model's training dataset by exploiting access to model parameters during or after training. In this work, we study privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model. The findings of our investigation provide new insights for the development of privacy-preserving collaborative learning solutions. We deploy SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks. Our solution offers a trade-off between privacy and efficiency, which varies based on the extent and selection of the model components we choose to protect. We explore it on dense neural networks, where through extensive evaluation of diverse datasets and architectures, we uncover instances where a favorable sweet spot in the trade-off can be achieved by safeguarding only a single layer of the network. In one of such instances, our approach trains ~4 times faster compared to fully encrypted solutions, while reducing membership leakage by 17.8 times compared to plaintext solutions.
Paper Structure (36 sections, 1 equation, 8 figures, 4 tables, 3 algorithms)

This paper contains 36 sections, 1 equation, 8 figures, 4 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Federated Learning
  4. Multilayer Perceptrons
  5. Multiparty Fully Homomorphic Encryption
  6. Datasets and Models
  7. Threat Model
  8. Adversary's View
  9. Adversary's Actions
  10. Privacy Attacks in the Gray-Box Setting
  11. Membership Inference
  12. Model Inversion
  13. Property Inference
  14. Partially Encrypted Models
  15. Protocol Description
  16. ...and 21 more sections

Figures (8)

  • Figure 1: Diagram representation of our approach.
  • Figure 2: Layer-wise accuracy of the white-box membership inference attack by Nasr et al. nasr2019comprehensive against different datasets and models, exploiting both the layer's output and gradient.
  • Figure 3: Layer-wise accuracy of the membership inference attack by Nasr et al. nasr2019comprehensive against intermediate models for the MNIST classification task. The model leaks more membership information as the number of training epochs grows. This behavior is particularly evident for the output layer.
  • Figure 4: Reconstruction of a face in the AT&T dataset performed at different training epochs. The first picture is a class representative, while the number at the top-left of each picture denotes the corresponding training epoch of the model.
  • Figure 5: Layer-wise accuracy of a property inference attack against intermediate models for the LFW classification task.
  • ...and 3 more figures