Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Rethinking Membership Inference Attacks Against Transfer Learning

Cong Wu, Jing Chen, Qianru Fang, Kun He, Ziming Zhao, Hao Ren, Guowen Xu, Yang Liu, Yang Xiang

TL;DR

The paper identifies a new white-box membership inference vector in transfer learning that leverages differential hidden-layer representations between teacher and student models, using shadow models and adaptive thresholds to infer teacher data membership from the student. It introduces a three-class attack variant and compares against state-of-the-art attacks, demonstrating higher attack accuracy across four datasets and multiple architectures. The work highlights the heightened privacy risk in transfer learning and provides concrete attack-architecture details, evaluation results, and initial defense considerations, emphasizing the need for tailored privacy safeguards in teacher–student transfer settings. Overall, it expands the understanding of MIA threats in transfer learning by explicitly modeling teacher–student interdependencies and offering practical insights for strengthening privacy protections in such systems.

Abstract

Transfer learning, successful in knowledge translation across related tasks, faces a substantial privacy threat from membership inference attacks (MIAs). These attacks, despite posing significant risk to ML model's training data, remain limited-explored in transfer learning. The interaction between teacher and student models in transfer learning has not been thoroughly explored in MIAs, potentially resulting in an under-examined aspect of privacy vulnerabilities within transfer learning. In this paper, we propose a new MIA vector against transfer learning, to determine whether a specific data point was used to train the teacher model while only accessing the student model in a white-box setting. Our method delves into the intricate relationship between teacher and student models, analyzing the discrepancies in hidden layer representations between the student model and its shadow counterpart. These identified differences are then adeptly utilized to refine the shadow model's training process and to inform membership inference decisions effectively. Our method, evaluated across four datasets in diverse transfer learning tasks, reveals that even when an attacker only has access to the student model, the teacher model's training data remains susceptible to MIAs. We believe our work unveils the unexplored risk of membership inference in transfer learning.

Rethinking Membership Inference Attacks Against Transfer Learning

TL;DR

The paper identifies a new white-box membership inference vector in transfer learning that leverages differential hidden-layer representations between teacher and student models, using shadow models and adaptive thresholds to infer teacher data membership from the student. It introduces a three-class attack variant and compares against state-of-the-art attacks, demonstrating higher attack accuracy across four datasets and multiple architectures. The work highlights the heightened privacy risk in transfer learning and provides concrete attack-architecture details, evaluation results, and initial defense considerations, emphasizing the need for tailored privacy safeguards in teacher–student transfer settings. Overall, it expands the understanding of MIA threats in transfer learning by explicitly modeling teacher–student interdependencies and offering practical insights for strengthening privacy protections in such systems.

Abstract

Transfer learning, successful in knowledge translation across related tasks, faces a substantial privacy threat from membership inference attacks (MIAs). These attacks, despite posing significant risk to ML model's training data, remain limited-explored in transfer learning. The interaction between teacher and student models in transfer learning has not been thoroughly explored in MIAs, potentially resulting in an under-examined aspect of privacy vulnerabilities within transfer learning. In this paper, we propose a new MIA vector against transfer learning, to determine whether a specific data point was used to train the teacher model while only accessing the student model in a white-box setting. Our method delves into the intricate relationship between teacher and student models, analyzing the discrepancies in hidden layer representations between the student model and its shadow counterpart. These identified differences are then adeptly utilized to refine the shadow model's training process and to inform membership inference decisions effectively. Our method, evaluated across four datasets in diverse transfer learning tasks, reveals that even when an attacker only has access to the student model, the teacher model's training data remains susceptible to MIAs. We believe our work unveils the unexplored risk of membership inference in transfer learning.
Paper Structure (27 sections, 4 equations, 9 figures, 5 tables, 2 algorithms)

This paper contains 27 sections, 4 equations, 9 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Transfer Learning
  4. Membership Inference Attack
  5. Attack Overview
  6. Attack Scenario
  7. Threat Model
  8. Attack Formulation
  9. Attack Design
  10. Attack Model Training
  11. Attack Strategy
  12. Threshold Selection
  13. Other Two Typical Attacks
  14. Experimental Results
  15. Evaluation Setup
  16. ...and 12 more sections

Figures (9)

  • Figure 1: Illustration of transfer learning
  • Figure 2: Attack workflow of At.T & Ac.S.
  • Figure 3: Attack workflow of At.T & Ac.T (a) and At.S & Ac.S (b)
  • Figure 4: A example of the raw image (a), the feature representation of the student model (b), shadow student model (c), and feature representation differences (d)
  • Figure 5: The structure of ResNet50, we divided the model into five parts for transfer learning in evaluation.
  • ...and 4 more figures