Abstract
This article is about ensuring the confidentiality of models using machine learning systems. The aim of this study is to ensure the confidentiality of models when using machine learning systems. This study analyzes attacks aimed at violating the confidentiality of these models and methods of protection from this type of attack, as a result of which the task of protecting against this type of attack is formulated as a search for anomalies in the input data. A method is proposed for detecting abnormalities in the input data based on the statistical data, taking into consideration the resumption of the attack by the intruder under a different account. The results obtained can be used as a base for designing components of machine learning security systems.
REFERENCES
Attacks against artificial intelligence. https://media.kaspersky.com/ru/business-security/attacks-on-artificial-intelligence-whitepaper.pdf. Cited December 25, 2021.
Pitropakis, N., Panaousis, E., Giannetsos, T., Anastasiadis, E., and Loukas, G., A taxonomy and survey of attacks against machine learning, Comput. Sci. Rev., 2019, vol. 34, no. 4, p. 100199. https://doi.org/10.1016/j.cosrev.2019.100199
Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., and Mukhopadhyay, D., Adversarial attacks and defenses: A survey, 2018. https://doi.org/10.48550/arXiv.1810.00069
Hayes, J., Melis, L., Danezis, G., and De Cristofaro, E., LOGAN: Membership inference attacks against generative models, PETS, 2019, pp. 133–152. https://doi.org/10.48550/arXiv.1705.07663
Shokri, R., Stronati, M., Song, C., and Shmatikov, V., Membership inference attacks against machine learning models, 2017 IEEE Symp. on Security and Privacy (SP), San Jose, Calif., 2017, IEEE, 2017, pp. 3–18. https://doi.org/10.1109/sp.2017.41
Salem, A., Zhang, Ya., Humbert, M., Berrang, P., Fritz, M., and Backes, M., ML-Leaks: Model and data independent membership inference attacks and defenses on machine learning models, Proc. 2019 Annu. Network and Distributed System Security Symp. (NDSS), 2019, pp. 1–15. https://doi.org/10.48550/arXiv.1806.01246
Long, Y., Bindschaedler, V., Wang, L., Bu, D., Wang, X., Tang, H., Gunter, C.A., and Chen, K., Understanding membership inferences on well-generalized learning models, 2018, pp. 1–16. https://doi.org/10.48550/arXiv.1802.04889
Rahman, Md.A., Rahman, T., Laganiere, R., Mohammed, N., and Wang, Y., Membership inference attack against differentially private deep learning model, Trans. Data Privacy, 2018, vol. 11, no. 1, pp. 61–79.
Nasr, M., Shokri, R., and Houmansadr, A., Machine learning with membership privacy using adversarial regularization, Proc. 2018 ACM SIGSAC Conf. on Computer and Communications Security, Toronto, 2018, New York: Association for Computing Machinery, 2018, pp. 634–646. https://doi.org/10.1145/3243734.3243855
Jia, J., Salem, A., Backes, M., Zhang, Ya., and Gong, N.Z., MemGuard: Defending against black-box membership inference attacks via adversarial examples, Proc. 2019 ACM SIGSAC Conf. on Computer and Communications Security, London, 2019, New York: Association for Computing Machinery, 2019, pp. 259–274. https://doi.org/10.1145/3319535.3363201
Tonni, S.M., Farokhi, F., Vatsalan, D., Kaafar, D., Lu, Zh., and Tangari, G., Data and model dependencies of membership inference attack, Proc. Privacy Enhancing Technologies. âЂ“ 2020, pp. 1–17. https://doi.org/10.48550/arXiv.2002.06856
Fredrikson, M., Jha, S., and Ristenpart, T., Model inversion attacks that exploit confidence information and basic countermeasures, Proc. 22nd ACM SIGSAC Conf. on Computer and Communications Security, Denver, Colo., 2015, New York: Association for Computing Machinery, 2015, pp. 1322–1333. https://doi.org/10.1145/2810103.2813677
Park, C., Hong, D., and Seo, C., An attack-based evaluation method for differentially private learning against model inversion attack, IEEE Access, 2019, vol. 7, pp. 124988–124999. https://doi.org/10.1109/access.2019.2938759
Hidano, S., Murakami, T., Katsumata, S., Kiyomoto, S., and Hanaoka, G., Model inversion attacks for prediction systems: Without knowledge of non-sensitive attributes, 2017 15th Annu. Conf. on Privacy, Security and Trust (PST), Calgary, Canada, 2017, IEEE, 2017, pp. 115–126. https://doi.org/10.1109/pst.2017.00023
Wang, D., Si, Ch., and Xu, J., Regression model fitting under differential privacy and model inversion attack, Proc. 24th Int. Conf. on Artificial Intelligence, Buenos Aires, 2015, Yang, Q. and Wooldridge, M., Eds., AAAI Press, 2015, pp. 1003–1009.
Basu, S., Izmailov, R., and Mesterharm, C., Membership model inversion attacks for deep networks, 2019, pp. 1–7. https://doi.org/10.48550/arXiv.1910.04257
He, Z., Zhang, T., and Lee, R.B., Model inversion attacks against collaborative inference, Proc. 35th Annu. Computer Security Applications Conf., San Juan, P.R., 2019, New York: Association for Computing Machinery, 2019, pp. 148–162. https://doi.org/10.1145/3359789.3359824
Chandrasekaran, V., Chaudhuri, K., Giacomelli, I., Jha, S., and Yan, S., Exploring connections between active learning and model extraction, Proc. 29th USENIX Conf. on Security Symp., USENIX Association, 2020, pp. 1309–1326. https://www.usenix.org/conference/usenixsecurity20/presentation/chandrasekaran.
Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., and Ristenpart, T., Stealing machine learning models via prediction APIs, 25th USENIX Security Symp., Austin, TX: USENIX Association, 2016, pp. 601–618. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/tramer.
Lowd, D. and Meek, C., Adversarial learning, Proc. Eleventh ACM SIGKDD Int. Conf. on Knowledge Discovery in Data Mining, Chicago, 2005, New York: Association for Computing Machinery, 2005, pp. 641–647. https://doi.org/10.1145/1081870.1081950
Wang, B. and Gong, N.Z., Stealing hyperparameters in machine learning, 2018 IEEE Symp. on Security and Privacy (SP), San Francisco, 2018, IEEE, 2018, pp. 36–52. https://doi.org/10.1109/sp.2018.00038
Takemura, T., Yanai, N., and Fujiwara, T., Model extraction attacks against recurrent neural networks, 2020, pp. 1–11. https://doi.org/10.48550/arXiv.2002.00123
Yu, H., Yang, K., Zhang, T., Tsai, Yu.-Yu., Ho, Ts.-Yi., and Jin, Yi., CloudLeak: Large-scale deep learning models stealing through adversarial examples, Proc. 2020 Network and Distributed System Security Symp., Internet Society, 2020, pp. 1–16. https://doi.org/10.14722/ndss.2020.24178
Lee, T., Edwards, B., Molloy, I., and Su, D., Defending against machine learning model stealing attacks using deceptive perturbations, pp. 1–8. https://doi.org/10.48550/arXiv.1806.00054
Quiring, E., Arp, D., and Rieck, K., Forgotten siblings: Unifying attacks on machine learning and digital watermarking, 2018 IEEE Eur. Symp. on Security and Privacy (EuroS&P), London, 2018, IEEE, 2018, pp. 488–502. https://doi.org/10.1109/eurosp.2018.00041
Juuti, M., Szyller, S., Marchal, S., and Asokan, N., PRADA: Protecting against DNN model stealing attacks, 2019 IEEE Eur. Symp. on Security and Privacy (EuroS&P), Stockholm, 2019, IEEE, 2019, pp. 512–527. https://doi.org/10.1109/eurosp.2019.00044
Unguryanu, T.N. and Grjibovski, A.M., Brief recommendations on description, statistical analysis, and representation of data in scientific publications, Ekol. Chel., 2014, no. 5, pp. 55–60.
CIFAR10. https://www.tensorflow.org/datasets/catalog/cifar10?hl=ru. Cited December 10, 2022.
MNIST. https://www.tensorflow.org/datasets/catalog/mnist?hl=ru. Cited December 10, 2022.
Funding
This work was supported by ongoing institutional funding. No additional grants to carry out or direct this particular research were obtained.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
The authors of this work declare that they have no conflicts of interest.
Additional information
Translated by S. Kuznetsov
Publisher’s Note.
Allerton Press remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
About this article
Cite this article
Poltavtseva, M.A., Rudnitskaya, E.A. Confidentiality of Machine Learning Models. Aut. Control Comp. Sci. 57, 975–982 (2023). https://doi.org/10.3103/S0146411623080242
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.3103/S0146411623080242