Data Exfiltration by Compression Attack: Definition and Evaluation on Medical Image Data

TL;DR

The paper identifies a privacy risk in exporting medical imaging models from data lakes and introduces Data Exfiltration by Compression (DEC), a novel attack that embeds compression codes within the exported model to reconstruct sensitive data outside the lake. It presents two deployment scenarios (External Pre-training and Internal Training) and a HiFiC-based lossy compression framework to maximize data exfiltration while minimizing export size, including strategies for hiding codes (steganography, dictionary entries). The work provides extensive evaluations on LiTS and BraTS datasets, showing high-fidelity reconstructions (PSNR ~40 CT, ~38 MR; MS_SSIM ~1) with relatively small export footprints, and demonstrates that stolen data can train effective external utility models. Finally, it analyzes defense options, including differential privacy and a novel model-fine-tuning export protocol, offering practical mitigations for data-lake owners and outlining directions for robust privacy-preserving strategies.

Abstract

With the rapid expansion of data lakes storing health data and hosting AI algorithms, a prominent concern arises: how safe is it to export machine learning models from these data lakes? In particular, deep network models, widely used for health data processing, encode information from their training dataset, potentially leading to the leakage of sensitive information upon its export. This paper thoroughly examines this issue in the context of medical imaging data and introduces a novel data exfiltration attack based on image compression techniques. This attack, termed Data Exfiltration by Compression, requires only access to a data lake and is based on lossless or lossy image compression methods. Unlike previous data exfiltration attacks, it is compatible with any image processing task and depends solely on an exported network model without requiring any additional information to be collected during the training process. We explore various scenarios, and techniques to limit the size of the exported model and conceal the compression codes within the network. Using two public datasets of CT and MR images, we demonstrate that this attack can effectively steal medical images and reconstruct them outside the data lake with high fidelity, achieving an optimal balance between compression and reconstruction quality. Additionally, we investigate the impact of basic differential privacy measures, such as adding Gaussian noise to the model parameters, to prevent the Data Exfiltration by Compression Attack. We also show how the attacker can make their attack resilient to differential privacy at the expense of decreasing the number of stolen images. Lastly, we propose an alternative prevention strategy by fine-tuning the model to be exported.

Figures (14)

• Figure 1: Overview of Data Exfiltration by Compression Attack.
• Figure 2: The pipeline of lossy compression based attack in External Pre-training Scenario, where the data owner has access to an encoder-decoder pair outside the data lake. Initially, an encoder-decoder pair is trained on an external dataset. The trained encoder is then imported into the data lake. Next, the encoder compresses the target data into compression codes $Z$ while a utility network is simultaneously trained to conceal the attack behavior. Subsequently, the attacker exports the compressed codes embedded within the trained utility network from the data lake. Finally, with the exported $Z$ and the trained decoder outside the data lake, the attacker can de-compress the stolen dataset.
• Figure 3: The pipeline of lossy compression based attack in Internal Training Scenario, without access to an external encoder-decoder pair. First, an attack model trained inside the data lake compresses the target data into compression codes $Z$, utilizing a shared encoder with a utility decoder branch for hiding the attack behavior. Then, the attacker exports the utility network, attack decoder, and $Z$ from the data lake. Finally, the stolen data can be de-compressed outside the data lake using the exported Z and the decoder.
• Figure 4: Operational diagrams of the learned image compression method using an hyperprior entropy model 47602. The upper section corresponds to an hyperprior auto-encoder while the lower one shows an image auto-encoder architecture where AE, AD represent respectively arithmetic encoder and arithmetic decoder.
• Figure 5: Lossy compression based attack on CT images (a) and MRI images (b) with various channel numbers $C^{|Z_{\mathrm{latent}}|}_{|Z_{\mathrm{hyper}}|}$ in x axis. The compression efficiency is measured using the criteria of BPP and $\mathrm{P}_{\mathrm{ratio}}$ in the first row, while the reconstruction fidelity is assessed using the criteria of PSNR and MS_SSIM in the second row.