2019 Triangle Machine Learning Day - Defending against Machine Learning based Inference Attacks using Adversarial Examples as Deceptive Mechanisms - Jinyuan Jia, September 20, 2019
Download as PPTX, PDF0 likes121 views
The document discusses machine learning-based inference attacks, highlighting the correlation between public and private data, and categorizes various attack types such as attribute inference and author identification. It presents challenges for defenders, particularly in terms of classifier knowledge and utility constraints, and offers a two-phase framework for defending against these attacks using adversarial examples. The authors reference prior work on defenses against membership and attribute inference attacks.
2019 Triangle Machine Learning Day - Defending against Machine Learning based Inference Attacks using Adversarial Examples as Deceptive Mechanisms - Jinyuan Jia, September 20, 2019
- 1. Defending against Machine Learning based Inference Attacks using Adversarial Examples Jinyuan Jia, Neil Zhenqiang Gong Department of Electrical and Computer Engineering 1
- 2. Machine Learning based Inference Attacks Input: User’s public data Output: User’s private data Private data and public data are statistically correlated Machine learning classifier Public data Private data (Public data, Private data) 2
- 3. Machine Learning based Inference Attacks are Pervasive Attribute inference attacks Public: Rating scores, page likes, social friends. Private: Age, gender, political view Author identification attacks Public: Text document, program Private: Author identity Website fingerprinting attacks Public: Network traffic Private: Websites Membership inference attacks Public: Confidence scores, gradients Private: Member/Non-member 3
- 4. Threat Model True public data DefenderUser Attacker Noisy public data Private data 4
- 5. Challenges The defender doesn’t know the attacker’s classifier The defender itself learn a classifier Transferability: similar classification boundaries Satisfy utility constraints Find a mechanism to add random noise is the conditional probability that defender will add noise to user’s true public data Sample from to add noise 5 M * ( | )M r x r x M
- 6. Overview Challenge to find the mechanism : The probabilistic mapping is exponential to the dimensionality of Categorize noise space into groups to solve the challenge… 0x+r 1x+r ix+r 1ix+r … 1nk x +r 2n k x +r mapping … Class 1 Class 2 Class m Output of Output of Output of 6 M
- 7. Two-Phase Framework Phase I: For each noise group, find a minimum noise as representative noise Phase II: Simplify the mechanism to be a probability distribution over representative noise 7
- 8. Thanks • Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. "MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples". In ACM Conference on Computer and Communications Security (CCS), 2019. • Jinyuan Jia and Neil Zhenqiang Gong. "AttriGuard: A Practical Defense Against Attribute Inference Attacks via Adversarial Machine Learning". In USENIX Security Symposium, 2018. 8