信息网络安全 ›› 2024, Vol. 24 ›› Issue (8): 1252-1264.doi: 10.3969/j.issn.1671-1122.2024.08.011

• 理论研究 • 上一篇    下一篇

基于集成学习的成员推理攻击方法

赵伟, 任潇宁, 薛吟兴()   

  1. 中国科学技术大学计算机科学与技术学院,合肥 230027
  • 收稿日期:2023-11-07 出版日期:2024-08-10 发布日期:2024-08-22
  • 通讯作者: 薛吟兴 yxxue@ustc.edu.cn
  • 作者简介:赵伟(1998—),男,安徽,硕士研究生,主要研究方向为人工智能安全|任潇宁(1997—),男,山西,博士研究生,CCF会员,主要研究方向为神经网络安全和测试|薛吟兴(1982—),男,江苏,研究员,博士,CCF会员,主要研究方向为物联网安全、软件系统安全、区块链软件安全和深度学习
  • 基金资助:
    国家自然科学基金(61972373);江苏省基础研究计划(自然科学基金)(BK20201192)

Membership Inference Attacks Method Based on Ensemble Learning

ZHAO Wei, REN Xiaoning, XUE Yinxing()   

  1. School of Computer Science and Technology, University of Science and Technology of China, Hefei 230027, China
  • Received:2023-11-07 Online:2024-08-10 Published:2024-08-22

摘要:

随着机器学习技术的迅速发展和广泛应用,其涉及的数据隐私问题也引发了广泛关注。成员推理攻击是一种通过推理数据样本是否属于模型训练集合的攻击方法,对医疗、金融等领域的个人隐私构成威胁。然而,现有成员推理攻击的攻击性能有限,并且差分隐私、知识蒸馏等防御措施减轻了其对个人隐私的威胁。文章深入分析了多种针对分类模型的黑盒成员推理攻击,提出一种攻击性能更好且不易被防御的基于集成学习的成员推理攻击方法。首先分析目标模型的泛化差距、攻击成功率和攻击差异度之间的关系,然后通过不同攻击之间的差异度分析筛选出具有代表性的成员推理攻击,最后利用集成技术对筛选出的攻击方法进行集成优化,以增强攻击效果。实验结果表明,相较于已有的成员推理攻击,基于集成学习的成员推理攻击方法在多种模型和数据集上展现了更好的攻击性能和稳定性。通过深入分析该攻击方法的数据集、模型结构和泛化差距等因素,可为防御此类成员推理攻击提供有益参考。

关键词: 成员推理攻击, 黑盒攻击, 差异度, 集成学习

Abstract:

With the rapid development and widespread application of machine learning technology, the issues related to data privacy have garnered significant attention. Membership inference attacks, which involve analyzing whether specific data samples are used in a model’s training, have raised concerns, particularly in sensitive domains such as healthcare and finance. Existing membership inference attacks exhibit limited attack performance, and various defense mechanisms, including differential privacy and knowledge distillation, have been employed to mitigate their threat to individual privacy. This paper conducted an in-depth analysis of various black-box membership inference attacks targeting classification models and proposed a membership inference attacks method based on ensemble learning that had stronger attack performance and less easily defensible membership inference attacks. Firstly, the experiment analyzed the relationships among target model generalization gap, attack success rate, and attack difference. Secondly, representative membership inference attacks were selected based on an analysis of the difference among different attacks. Finally, ensemble technology was used to integrate the selected attacks to obtain attacks with stronger performance. The experiments show that compared to existing membership inference attacks, ensemble-based membership inference attacks method based on ensemble learning has stronger and more stable attack performance across a wide range of models and datasets. By conducting an in-depth analysis of the attack methodology, including factors such as datasets, model architecture, and generalization gap, valuable insights can be provided for defending against membership inference attacks.

Key words: membership inference attacks, black-box attacks, difference, ensemble learning

中图分类号: