浏览全部资源
扫码关注微信
面向正常拟合迁移学习模型的成员推理攻击
Membership inference attacks against transfer learning for generalized model
- 通信学报 2021年42卷第10期 页码:197-210
- 作者机构:
1. 浙江工业大学网络空间安全研究院,浙江 杭州 310012
2. 浙江工业大学信息工程学院,浙江 杭州 310012
3. 军事科学院系统工程研究院信息系统安全技术国防科技重点实验室,北京 100039
4. 浙江大学控制科学与工程学院,浙江 杭州 310007
- 作者简介:
[ "陈晋音(1982- ),女,浙江宁波人,博士,浙江工业大学教授,主要研究方向为智能计算、数据挖掘、网络安全等" ]
[ "上官文昌(1996- ),男,湖北十堰人,浙江工业大学硕士生,主要研究方向为深度学习、人工智能、深度学习、隐私攻防等" ]
[ "张京京(1988- ),男,北京人,博士,军事科学院系统工程研究院工程师,主要研究方向为深度学习、人工智能和对抗性攻击和防御等" ]
[ "郑海斌(1995- ),男,浙江台州人,浙江工业大学博士生,主要研究方向为深度学习、人工智能和对抗性攻击和防御等" ]
[ "郑雅羽(1978- ),男,浙江温州人,博士,浙江工业大学副教授,主要研究方向为嵌入式软硬件应用开发、视频图像处理算法、服务器网络技术等" ]
[ "张旭鸿(1988- ),男,河北石家庄人,博士,浙江大学助理教授,主要研究方向为分布式大数据与人工智能系统、大数据挖掘与分析、数据驱动安全、人工智能与安全等" ]
- 基金信息:国家重点研发计划基金资助项目(2018AAA0100801);国家自然科学基金资助项目(62072406);浙江省自然科学基金资助项目(LY19F020025);宁波市“科技创新2025”重大专项基金资助项目(2018B10063)
DOI:10.11959/j.issn.1000-436x.2021209
中图分类号: TN92-
网络出版日期:2021-10,
纸质出版日期:2021-10-25
- 稿件说明:
移动端阅览
陈晋音, 上官文昌, 张京京, 等. 面向正常拟合迁移学习模型的成员推理攻击[J]. 通信学报, 2021,42(10):197-210.
Jinyin CHEN, Wenchang SHANGGUAN, Jingjing ZHANG, et al. Membership inference attacks against transfer learning for generalized model[J]. Journal on communications, 2021, 42(10): 197-210.
陈晋音, 上官文昌, 张京京, 等. 面向正常拟合迁移学习模型的成员推理攻击[J]. 通信学报, 2021,42(10):197-210. DOI: 10.11959/j.issn.1000-436x.2021209.
Jinyin CHEN, Wenchang SHANGGUAN, Jingjing ZHANG, et al. Membership inference attacks against transfer learning for generalized model[J]. Journal on communications, 2021, 42(10): 197-210. DOI: 10.11959/j.issn.1000-436x.2021209.
摘要
针对现有成员推理攻击(MIA)在面向正常拟合迁移学习模型时性能较差的问题,对迁移学习模型在正常拟合情况下的 MIA 进行了系统的研究,设计异常样本检测获取容易受攻击的数据样本,实现对单个样本的成员推理攻击。最终,将提出的攻击方法在 4 种图像数据集上展开攻击验证,结果表明,所提 MIA 有较好的攻击性能。例如,从VGG16(用Caltech101预训练)迁移的Flowers102分类器上,所提MIA实现了83.15%的成员推理精确率,揭示了在迁移学习环境下,即使不访问教师模型,通过访问学生模型依然能实现对教师模型的MIA。
Abstract
For the problem of poor performance of exciting membership inference attack (MIA) when facing the transfer learning model that is generalized
the MIA for the transfer learning model that is generalized was first systematically studied
the anomaly detection was designed to obtain vulnerable data samples
and MIA was carried out against individual samples.Finally
the proposed method was tested on four image data sets
which shows that the proposed MIA has great attack performance.For example
on the Flowers102 classifier migrated from VGG16 (pretraining with Caltech101)
the proposed MIA achieves 83.15% precision
which reveals that in the environment of transfer learning
even without access to the teacher model
the MIA for the teacher model can be achieved by visiting the student model.
关键词
Keywords
references
高红民 , 曹雪莹 , 陈忠昊 , 等 . 基于多尺度近端特征拼接网络的高光谱图像分类方法 [J ] . 通信学报 , 2021 , 42 ( 2 ): 92 - 102 .
GAO H M , CAO X Y , CHEN Z H , et al . Hyperspectral image classification method based on multi-scale proximal feature concatenate network [J ] . Journal on Communications , 2021 , 42 ( 2 ): 92 - 102 .
崔颖 , 徐凯 , 陆忠军 , 等 . 主动学习策略融合算法在高光谱图像分类中的应用 [J ] . 通信学报 , 2018 , 39 ( 4 ): 91 - 99 .
CUI Y , XU K , LU Z J , et al . Combination strategy of active learning for hyperspectral images classification [J ] . Journal on Communications , 2018 , 39 ( 4 ): 91 - 99 .
KIM I , BAEK W , KIM S . Spatially attentive output layer for image classification [C ] // Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2020 : 9530 - 9539 .
SZEGEDY C , LIU W , JIA Y Q , et al . Going deeper with convolutions [C ] // Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2015 : 1 - 9 .
WANG T W , ZHU Y Z , JIN L W , et al . Decoupled attention network for text recognition [C ] // The Thirty-Second Innovative Applications of Artificial Intelligence Conference . Palo Alto:AAAI Press , 2020 : 12216 - 12224 .
YU D L , LI X , ZHANG C Q , et al . Towards accurate scene text recognition with semantic reasoning networks [C ] // Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2020 : 12110 - 12119 .
GRAVES A , MOHAMED A R , HINTON G . Speech recognition with deep recurrent neural networks [C ] // Proceedings of 2013 IEEE International Conference on Acoustics,Speech and Signal Processing . Piscataway:IEEE Press , 2013 : 6645 - 6649 .
HINTON G , DENG L , YU D , et al . Deep neural networks for acoustic modeling in speech recognition:the shared views of four research groups [J ] . IEEE Signal Processing Magazine , 2012 , 29 ( 6 ): 82 - 97 .
SEN P , NAMATA G , BILGIC M , et al . Collective classification in network data [J ] . AI Magazine , 2008 , 29 ( 3 ): 93 - 106 .
LIBEN-NOWELL D , KLEINBERG J . The link-prediction problem for social networks [J ] . Journal of the American Society for Information Science and Technology , 2007 , 58 ( 7 ): 1019 - 1031 .
张思成 , 林云 , 涂涯 , 等 . 基于轻量级深度神经网络的电磁信号调制识别技术 [J ] . 通信学报 , 2020 , 41 ( 11 ): 12 - 21 .
ZHANG S C , LIN Y , TU Y , et al . Electromagnetic signal modulation recognition technology based on lightweight deep neural network [J ] . Journal on Communications , 2020 , 41 ( 11 ): 12 - 21 .
WANG Q , DU P F , YANG J Y , et al . Transferred deep learning based waveform recognition for cognitive passive radar [J ] . Signal Processing , 2019 , 155 : 259 - 267 .
SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition [C ] // Proceedings of 3rd International Conference on Learning Representations .[S.n.:s.l. ] , 2015 : 803 - 807 .
HE K M , ZHANG X Y , REN S Q , et al . Deep residual learning for image recognition [C ] // Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2016 : 770 - 778 .
BROWN T B , MANN B , RYDER N , et al . Language models are few-shot learners [C ] // Proceedings of 2020 Advances in Neural Information Processing Systems (NIPS) .[S.n.:s.l. ] , 2020 : 6 - 12 .
RAFFEL C , SHAZEER N , ROBERTS A , et al . Exploring the limits of transfer learning with a unified text-to-text transformer [J ] . Journal of Machine Learning Research , 2020 , 21 ( 1 ): 1 - 67 .
OLATUNJI I E , NEJDL W , KHOSLA M . Membership inference attack on graph neural networks [J ] . arXiv Preprint,arXiv:2101.06570 , 2021 .
HUI B , YANG Y C , YUAN H L , et al . Practical blind membership inference attack via differential comparisons [C ] // Proceedings of 2021 Network and Distributed System Security Symposium . Reston:Internet Society , 2021 : 21 - 25 .
LI J C , LI N H , Ribeiro B . Membership inference attacks and defenses in supervised learning via generalization gap [J ] . arXiv Preprint,arXiv:2002.12062 , 2020 .
SALEM A , ZHANG Y , HUMBERT M , et al . ML-leaks:model and data independent membership inference attacks and defenses on machine learning models [C ] // Proceedings of 2019 Network and Distributed System Security Symposium . Reston:Internet Society , 2019 : 24 - 27 .
SHOKRI R , STRONATI M , SONG C Z , et al . Membership inference attacks against machine learning models [C ] // Proceedings of 2017 IEEE Symposium on Security and Privacy (SP) . Piscataway:IEEE Press , 2017 : 3 - 18 .
SONG L W , SHOKRI R , MITTAL P . Privacy risks of securing machine learning models against adversarial examples [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2019 : 241 - 257 .
YEOM S , GIACOMELLI I , FREDRIKSON M , et al . Privacy risk in machine learning:analyzing the connection to overfitting [C ] // Proceedings of 2018 IEEE 31st Computer Security Foundations Symposium (CSF) . Piscataway:IEEE Press , 2018 : 268 - 282 .
NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning [C ] // Proceedings of 2019 IEEE Symposium on Security and Privacy (SP) . Piscataway:IEEE Press , 2019 : 739 - 753 .
LEINO K , FREDRIKSON M . Stolen memories:leveraging model memorization for calibrated white-box membership inference [C ] // Proceedings of 2020 USENIX Security Symposium (USENIX Security 20) . Berkeley:USENIX Association , 2020 : 1605 - 1622 .
LONG Y H , WANG L , BU D Y , et al . A pragmatic approach to membership inferences on machine learning models [C ] // Proceedings of 2020 IEEE European Symposium on Security and Privacy (EuroS&P) . Piscataway:IEEE Press , 2020 : 521 - 534 .
ZOU Y , ZHANG Z K , BACKES M , et al . Privacy analysis of deep learning in the wild:membership inference attacks against transfer learning [J ] . arXiv Preprint,arXiv:2009.04872 , 2020 .
BACKES M , BERRANG P , HUMBERT M , et al . Membership privacy in MicroRNA-based studies [C ] // Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2016 : 319 - 330 .
HAGESTEDT I , ZHANG Y , HUMBERT M , et al . MBeacon:privacy-preserving beacons for DNA methylation data [C ] // Proceedings of 2019 Network and Distributed System Security Symposium . Reston:Internet Society , 2019 : 21 - 27 .
PYRGELIS A , TRONCOSO C , DE CRISTOFARO E . Knock knock,who's there? membership inference on aggregate location data [C ] // Proceedings of 2018 Network and Distributed System Security Symposium . Reston:Internet Society , 2018 : 35 - 42 .
CHEN J C , RANJAN R , KUMAR A , et al . An end-to-end system for unconstrained face verification with deep convolutional neural networks [C ] // Proceedings of 2015 IEEE International Conference on Computer Vision Workshop (ICCVW) . Piscataway:IEEE Press , 2015 : 360 - 368 .
REN S Q , HE K M , GIRSHICK R , et al . Faster R-CNN:towards real-time object detection with region proposal networks [C ] // Proceedings of IEEE Transactions on Pattern Analysis and Machine Intelligence . Piscataway:IEEE Press , 2015 : 1137 - 1149 .
REDMON J , DIVVALA S , GIRSHICK R , et al . You only look once:unified,real-time object detection [C ] // Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2016 : 779 - 788 .
CAELLES S , MANINIS K K , PONT-TUSET J , et al . One-shot video object segmentation [C ] // Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2017 : 5320 - 5329 .
KUNZE J , KIRSCH L , KURENKOV I , et al . Transfer learning for speech recognition on a budget [C ] // Proceedings of the 2nd Workshop on Representation Learning for NLP . Stroudsburg:Association for Computational Linguistics , 2017 : 168 - 177 .
WANG D , ZHENG T F . Transfer learning for speech and language processing [C ] // Proceedings of 2015 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA) . Piscataway:IEEE Press , 2015 : 1225 - 1237 .
HEIGOLD G , VANHOUCKE V , SENIOR A , et al . Multilingual acoustic models using distributed deep neural networks [C ] // Proceedings of 2013 IEEE International Conference on Acoustics,Speech and Signal Processing . Piscataway:IEEE Press , 2013 : 8619 - 8623 .
CIREŞAN D C , MEIER U , SCHMIDHUBER J . Transfer learning for Latin and Chinese characters with deep neural networks [C ] // Proceedings of 2012 International Joint Conference on Neural Networks (IJCNN) . Piscataway:IEEE Press , 2012 : 1 - 6 .
JOHNSON M , SCHUSTER M , LE Q V , et al . Google's multilingual neural machine translation system:enabling zero-shot translation [J ] . Transactions of the Association for Computational Linguistics , 2017 , 5 : 339 - 351 .
MIKOLOV T , LE Q V , SUTSKEVER I . Exploiting similarities among languages for machine translation [J ] . Computer Science , 2014 , 17 ( 4 ): 45 - 52 .
WANG B , YAO U , CHICAGO U O , et al . With great training comes great vulnerability:practical attacks against transfer learning [C ] // Proceedings of 2018 USENIX Security Symposium (USENIX Security) . Berkeley:USENIX Association , 2018 : 1281 - 1297 .
SCHUSTER R , SCHUSTER T , MERI Y , et al . Humpty dumpty:controlling word meanings via corpus poisoning [C ] // Proceedings of 2020 IEEE Symposium on Security and Privacy (SP) . Piscataway:IEEE Press , 2020 : 1295 - 1313 .
LI F F , FERGUS R , PERONA P . Learning generative visual models from few training examples:an incremental Bayesian approach tested on 101 object categories [J ] . Computer Vision and Image Understanding , 2007 , 106 ( 1 ): 59 - 70 .
KRIZHEVSKY A , HINTON G . Learning multiple layers of features from tiny images [J ] . Handbook of Systemic Autoimmune Diseases , 2009 , 1 ( 4 ): 130 - 138 .
NILSBACK M E , ZISSERMAN A . Automated flower classification over a large number of classes [C ] // Proceedings of 2008 Sixth Indian Conference on Computer Vision,Graphics & Image Processing . Piscataway:IEEE Press , 2008 : 722 - 729 .
PINTO N , STONE Z , ZICKLER T , et al . Scaling up biologically-inspired computer vision:a case study in unconstrained face recognition on facebook [C ] // Proceedings of CVPR 2011 WORKSHOPS . Piscataway:IEEE Press , 2011 : 35 - 42 .
SIMONYAN K , ZISSERMAN A . Very deep convolutional networks for large-scale image recognition [J ] . Computer Science , 2014 , 8 ( 2 ): 475 - 483 .
HE K M , ZHANG X Y , REN S Q , et al . Deep residual learning for image recognition [C ] // Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2016 : 770 - 778 .
SZEGEDY C , VANHOUCKE V , IOFFE S , et al . Rethinking the inception architecture for computer vision [C ] // Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway:IEEE Press , 2016 : 2818 - 2826 .
0
浏览量
436
下载量
0
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答
鸿云智能
中文
- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:151733 今日访问量:2