Privacy Leakage Avoidance with Switching Ensembles

TL;DR

This paper introduces PASE, a switching ensemble method that effectively defends against membership inference attacks in machine learning with minimal accuracy loss and acceptable computational overhead.

Contribution

It proposes a novel switching ensemble approach, PASE, that enhances privacy protection against inference attacks while maintaining high model utility.

Findings

PASE significantly reduces privacy leakage compared to baseline methods.

PASE achieves comparable accuracy with minimal performance tradeoffs.

Experimental results on image datasets validate the effectiveness of PASE.

Abstract

We consider membership inference attacks, one of the main privacy issues in machine learning. These recently developed attacks have been proven successful in determining, with confidence better than a random guess, whether a given sample belongs to the dataset on which the attacked machine learning model was trained. Several approaches have been developed to mitigate this privacy leakage but the tradeoff performance implications of these defensive mechanisms (i.e., accuracy and utility of the defended machine learning model) are not well studied yet. We propose a novel approach of privacy leakage avoidance with switching ensembles (PASE), which both protects against current membership inference attacks and does that with very small accuracy penalty, while requiring acceptable increase in training and inference time. We test our PASE method, along with the the current state-of-the-art PATE approach, on three calibration image datasets and analyze their tradeoffs.