ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine   Learning Models

Yugeng Liu; Rui Wen; Xinlei He; Ahmed Salem; Zhikun Zhang; and Michael Backes; Emiliano De Cristofaro; Mario Fritz; Yang Zhang

arXiv:2102.02551·cs.CR·October 7, 2021·46 cites

ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models

Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, and Michael Backes, Emiliano De Cristofaro, Mario Fritz, Yang Zhang

PDF

Open Access 1 Repo

TL;DR

This paper presents a comprehensive risk assessment of four inference attack types on machine learning models, analyzing their effectiveness, influencing factors, and defenses through extensive experiments and a new software tool.

Contribution

It introduces a holistic framework and taxonomy for inference attack risks, along with an extensive evaluation across multiple models and datasets, filling a gap in existing research.

Findings

01

Dataset complexity influences attack performance

02

Model stealing and membership inference are negatively correlated

03

Defenses like DP-SGD and Knowledge Distillation only partially mitigate attacks

Abstract

Inference attacks against Machine Learning (ML) models allow adversaries to learn sensitive information about training data, model parameters, etc. While researchers have studied, in depth, several kinds of attacks, they have done so in isolation. As a result, we lack a comprehensive picture of the risks caused by the attacks, e.g., the different scenarios they can be applied to, the common factors that influence their performance, the relationship among them, or the effectiveness of possible defenses. In this paper, we fill this gap by presenting a first-of-its-kind holistic risk assessment of different inference attacks against machine learning models. We concentrate on four attacks -- namely, membership inference, model inversion, attribute inference, and model stealing -- and establish a threat model taxonomy. Our extensive experimental evaluation, run on five model architectures…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Repositories

liuyugeng/ml-doctor
pytorchOfficial

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data · Artificial Intelligence in Healthcare and Education

MethodsKnowledge Distillation · Batch Normalization · Pointwise Convolution · Depthwise Convolution · Average Pooling · Residual Connection · Softmax · Dense Connections · Depthwise Separable Convolution · *Communicated@Fast*How Do I Communicate to Expedia?