Reducing audio membership inference attack accuracy to chance: 4 defenses
Michael Lomnitz, Nina Lopatina, Paul Gamble, Zigfried Hampel-Arias,, Lucas Tindall, Felipe A. Mejia, Maria Alejandra Barrios
TL;DR
This paper explores privacy vulnerabilities in speaker identification models, demonstrating high attack accuracy and proposing defenses like prediction obfuscation and adversarial training to reduce it to chance levels.
Contribution
It generalizes membership inference attacks to audio speaker identification and evaluates defenses to mitigate privacy risks.
Findings
Attack precision up to 85.9% on LibriSpeech
Defense methods reduce attack accuracy to chance
Effective defenses include prediction obfuscation and adversarial training
Abstract
It is critical to understand the privacy and robustness vulnerabilities of machine learning models, as their implementation expands in scope. In membership inference attacks, adversaries can determine whether a particular set of data was used in training, putting the privacy of the data at risk. Existing work has mostly focused on image related tasks; we generalize this type of attack to speaker identification on audio samples. We demonstrate attack precision of 85.9\% and recall of 90.8\% for LibriSpeech, and 78.3\% precision and 90.7\% recall for VOiCES (Voices Obscured in Complex Environmental Settings). We find that implementing defenses such as prediction obfuscation, defensive distillation or adversarial training, can reduce attack accuracy to chance.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Privacy-Preserving Technologies in Data