SNAP: Efficient Extraction of Private Properties with Poisoning

TL;DR

SNAP is an efficient property inference attack that leverages training data poisoning to outperform existing methods in success rate and speed, revealing global dataset properties with lower computational costs.

Contribution

We introduce SNAP, a novel poisoning-based property inference attack that is more efficient and effective than prior approaches, reducing computational overhead and increasing success rates.

Findings

SNAP achieves 34% higher success rate on the Census dataset.

SNAP is 56.5 times faster than previous poisoning-based attacks.

SNAP effectively infers properties and their proportions across multiple datasets.

Abstract

Property inference attacks allow an adversary to extract global properties of the training dataset from a machine learning model. Such attacks have privacy implications for data owners sharing their datasets to train machine learning models. Several existing approaches for property inference attacks against deep neural networks have been proposed, but they all rely on the attacker training a large number of shadow models, which induces a large computational overhead. In this paper, we consider the setting of property inference attacks in which the attacker can poison a subset of the training dataset and query the trained target model. Motivated by our theoretical analysis of model confidences under poisoning, we design an efficient property inference attack, SNAP, which obtains higher attack success and requires lower amounts of poisoning than the state-of-the-art poisoning-based property inference attack by Mahloujifar et al. For example, on the Census dataset, SNAP achieves 34% higher success rate than Mahloujifar et al. while being 56.5x faster. We also extend our attack to infer whether a certain property was present at all during training and estimate the exact proportion of a property of interest efficiently. We evaluate our attack on several properties of varying proportions from four datasets and demonstrate SNAP's generality and effectiveness. An open-source implementation of SNAP can be found at https://github.com/johnmath/snap-sp23.