Redactor: A Data-centric and Individualized Defense Against Inference Attacks

TL;DR

Redactor introduces a data-centric defense method that uses probabilistic decision boundaries and data programming to protect individual privacy against inference attacks by inserting carefully chosen data points.

Contribution

The paper presents a novel approach combining data insertion and probabilistic label estimation to defend against inference attacks without controlling labelers or deleting data.

Findings

Effective in defending against inference attacks

Scalable to large datasets

Uses probabilistic decision boundaries as label proxies

Abstract

Information leakage is becoming a critical problem as various information becomes publicly available by mistake, and machine learning models train on that data to provide services. As a result, one's private information could easily be memorized by such trained models. Unfortunately, deleting information is out of the question as the data is already exposed to the Web or third-party platforms. Moreover, we cannot necessarily control the labeling process and the model trainings by other parties either. In this setting, we study the problem of targeted disinformation generation where the goal is to dilute the data and thus make a model safer and more robust against inference attacks on a specific target (e.g., a person's profile) by only inserting new data. Our method finds the closest points to the target in the input space that will be labeled as a different class. Since we cannot control the labeling process, we instead conservatively estimate the labels probabilistically by combining decision boundaries of multiple classifiers using data programming techniques. Our experiments show that a probabilistic decision boundary can be a good proxy for labelers, and that our approach is effective in defending against inference attacks and can scale to large data.