NeuGuard: Lightweight Neuron-Guided Defense against Membership Inference Attacks

TL;DR

NeuGuard is a novel neuron-guided defense mechanism that effectively protects machine learning models from membership inference attacks by controlling neuron activations to improve privacy without sacrificing utility.

Contribution

NeuGuard introduces a joint control approach over output and inner neurons, addressing weaknesses in existing defenses and enhancing privacy protection against multiple MIAs.

Findings

NeuGuard outperforms existing defenses in utility-privacy trade-off.

It effectively defends against multiple neural network-based MIAs.

NeuGuard demonstrates generality and low overhead across datasets.

Abstract

Membership inference attacks (MIAs) against machine learning models can lead to serious privacy risks for the training dataset used in the model training. In this paper, we propose a novel and effective Neuron-Guided Defense method named NeuGuard against membership inference attacks (MIAs). We identify a key weakness in existing defense mechanisms against MIAs wherein they cannot simultaneously defend against two commonly used neural network based MIAs, indicating that these two attacks should be separately evaluated to assure the defense effectiveness. We propose NeuGuard, a new defense approach that jointly controls the output and inner neurons' activation with the object to guide the model output of training set and testing set to have close distributions. NeuGuard consists of class-wise variance minimization targeting restricting the final output neurons and layer-wise balanced output control aiming to constrain the inner neurons in each layer. We evaluate NeuGuard and compare it with state-of-the-art defenses against two neural network based MIAs, five strongest metric based MIAs including the newly proposed label-only MIA on three benchmark datasets. Results show that NeuGuard outperforms the state-of-the-art defenses by offering much improved utility-privacy trade-off, generality, and overhead.