comprehensive privacy analysis of deep learning
play

Comprehensive Privacy Analysis of Deep Learning: Passive and Active - PowerPoint PPT Presentation

Feb 25, 2023 •276 likes •568 views

Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning Milad Nasr 1 , Reza Shokri 2 , Amir Houmansadr 1 1 University of Massachusetts Amherst, 2 National

  1. Comprehensive Privacy Analysis of Deep Learning: � Passive and Active White-box Inference Attacks against Centralized and Federated Learning � Milad Nasr 1 , Reza Shokri 2 , Amir Houmansadr 1 1 University of Massachusetts Amherst, 2 National University of Singapore 1

  2. Deep learning Tasks � Personal History Medical Location Financial 2

  3. Privacy Threats � • We provide a comprehensive privacy analysis of deep learning algorithms. • Our objective is to measure information leakage of deep learning models about their training data • In particular we emphasize on membership inference attacks • Can an adversary infer whether or not a particular data record was part of the training set? 3

  4. � � Membership Inference � Output Vector Output � Pattern � Train Data � Member Trained Model � Non Member Data Distribution What is the cause of this behavior ? � 4

  5. Training a Model � 3.5 � SGD: 𝑿 3 � Model parameters 𝐌 Loss 2.5 � Train Data 𝛂 ​ 𝐌 ↓ 𝐱 Loss gradient w.r.t parameters 2 � 𝑿 = 𝑿 − 𝜷 𝛂 ​ 𝐌 ↓ 𝐱 1.5 � Model parameters 1 � change in the opposite direction 0.5 � of each training 0 � data point’s 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � gradient � 5

  6. Training a Model � 4 � 3.5 � 3 � Train Data 2.5 � 2 � 1.5 � 1 � 0.5 � 0 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � 6

  7. Training a Model � 4 � 3.5 � 3 � Train Data Gradients leak 2.5 � information by behaving differently 2 � for non-member data Non member 1.5 � data vs. member data. � 1 � 0.5 � 0 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � 7

  8. Gradients Leak Information � Gradient Norm Distribution � 1 � Separable distributions 0.9 � 0.8 � 0.7 � Members � 0.6 � 0.5 � Non-Member � 0.4 � 0.4 � 0.3 � 0.2 � 0.14 � 0.1 � 0.1 � 0.09 � 0.07 � 0.07 � 0 � 0 � 100 � 200 � 300 � 400 � 500 � 8

  9. Different Learning/Attack Settings � • Fully trained • Black/ White box • Fine-tuning • Federated learning • Central/ local Attacker • Passive/ Active 9

  10. � � � � � � � � � � Federated Model � Central Model � Local Local Local Local Model � Model � Model � Model � … Training Training Training Training Local Data � Local Data � Local Data � Local Data � Collaborator 3 Collaborator 1 Collaborator n Collaborator 2 10

  11. Federated Learning � Multiple observations: 3.5 � 4 � 4 � 3 � 3.5 � 3.5 � 3 � 3 � 2.5 � 2.5 � 2.5 � 2 � 2 � 2 � 1.5 � 1.5 � 1.5 � 1 � 1 � 1 � 0.5 � 0.5 � 0.5 � 0 � 0 � 0 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � Epoch 1 Epoch 2 Epoch n Every point leave traces on the target function 11

  12. Active Attack on Federated Learning � 4 � Target member 3.5 � Target non-member 3 � 2.5 � Active attacker 2 � change the parameters in the 1.5 � direction of the 1 � gradient � 0.5 � 0 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � 12

  13. Active Attack on Federated Learning � 4 � 3.5 � For the data points 3 � that are in the 2.5 � training dataset, 2 � local training will compensate for the 1.5 � active attacker � 1 � 0.5 � 0 � 0 � 0.5 � 1 � 1.5 � 2 � 2.5 � 3 � 3.5 � 13

  14. Active Attacks in � Federated Model � 6 � 5 � Target Members � 4 � Gradient norm � Target Non- 3 � member � Member instances � 2 � Non-member instances � 1 � 0 � 1 � 2 � 3 � 4 � 10 � 20 � 30 � 40 � 50 � 60 � 70 � 80 � Epochs � 14

  15. � � � � � � Scenario 1: Fully Trained Model � Dog Cat Trained Trained Model � Model � Not Observable Output vector Input Training Outputs of all layers Loss Dataset Gradients of all layers Attacker 15

  16. � � � � � � � � � � Scenario 2: Central Attacker in � Federated Model � Central Model � Local Local Local Local Model � Model � Model � Model � … Training Training Training Training Local Data � Local Data � Local Data � Local Data � Collaborator 3 Collaborator 1 Collaborator n Collaborator 2 16

  17. � � � � � � � � Scenario 2: Central Attacker in � Federated Model � In addition to the local attacker observations: Isolated Target individual Model � collaborators Isolated any collaborators L Central o c Model � a l U p d a t e s Not observable Not observable Not observable Not observable Local Local Local Local Model � Model � Model � Model � … Training Training Training Training

  18. � � � � � � � � � � Scenario 3: Local Attacker in � Federated Learning � Epoch 1: Central Not Observable Outputs of all layers Model � Epoch 2: Loss Outputs of all layers Gradients of all layers Active Loss Gradients of all layers Local Local Local Local Model � Model � Model � Model � . . . … Training Training Training Training Epoch N: Outputs of all layers Loss Local Data � Local Data � Local Data � Local Data � Gradients of all layers Collaborator 3 Collaborator 1 Collaborator n Collaborator 2 18

  19. Score function � Di ff erent observation: Epoch 1: Outputs of all layers Epoch 2: Loss Outputs of all layers Gradients of all layers Loss Gradients of all layers Member ? Non-member Input � Score � . . . Epoch N: Outputs of all layers Loss Gradients of all layers 19

  20. Experimental Setup � • Unlike previous works, we used publicly available pretrained models • We used all common regularization techniques • We implemented our attacks in PyTorch • We used following datasets: • CIFAR100 • Purchase100 • Texas100 20

  21. Results � 21

  22. Pretrained Models Attacks � Gradients leak significant information Last layer contains the most information 22

  23. Federated Attacks � Global attack is more powerful An active attacker can force SGD than the local attacker to leak more information 23

  24. Conclusions � • We go beyond black-box scenario and try to understand why a deep learning model leak information • Gradients leak information about the training dataset • Attacker in the federated learning can take the advantage of multiple observations to leak more information • In the federated setting, an attacker can actively force SGD to leak information Questions ? 24

  25. Overall Attack Model � Output Layer 1 output � Epoch 1: Component � Layer 1 output � Layer 1 output � Layer 1 output � Layer 1 gradient � Layer 1 output � Layer 1 gradient � Layer 1 output � Gradient Layer 1 gradient � Layer 1 output � Epoch n : Layer 1 gradient � Layer 1 output � Component � Layer 1 gradient � Layer 1 output � Layer 2 output � Layer 1 gradient � Layer 2 output � Layer 1 gradient � Layer 2 output � Layer 1 gradient � Layer 2 output � Output Layer 2 gradient � Layer 1 gradient � Layer 2 output � Layer 2 gradient � Layer 2 output � Component � Layer 2 gradient � Layer 2 output � . Layer 2 gradient � Layer 2 output � . Layer 2 gradient � Layer 2 output � . . Layer 2 gradient � . . Gradient Layer 2 gradient � . . . Layer 2 gradient � . . Component � . Layer 2 gradient � . . . . . . . Member ? Non-member . . . . . Layer n output � . . Layer n output � . . Layer n output � . Layer n output � Output Layer n gradient � . Layer n output � Layer n gradient � Layer n output � Component � Layer n gradient � Layer n output � Layer n gradient � Layer n output � Layer n gradient � Layer n output � Layer n gradient � Gradient Loss � Layer n gradient � Loss � Layer n gradient � Loss � Component � Layer n gradient � Loss � Loss � Label � Loss � Label � Loss � Loss Label � Loss � Label � Loss � Label � Component � Label � Label � Label � Label � Label 25 Component �

  26. � � � � � � � � � � � � Scenario 4: Fine-Tuning Model � Outputs of all layers General Loss Model � General Fine-Tuned Gradients of all layers Model � Model � Specialized General Not Observable None � dataset � dataset � Training Training Attacker Outputs of all layers Fine-Tuned Loss Model � Dataset Gradients of all layers Specialized Dataset 26

  27. Fine-tuning Attacks � Distinguishing Distinguishing Distinguishing Specialized / non- specialized/general general / non-member Dataset Arch member datasets datasets datasets Both specialized and general datasets are vulnerable to the membership attacks 27

  28. Federated Attacks � 28

  29. � � � � � � � � � � � � Fine-Tuning Model Leakage � Outputs of all layers General Loss Model � General Fine-Tuned Gradients of all layers Model � Model � Specialized General Not Observable None � dataset � dataset � Training Training Attacker Outputs of all layers Fine-Tuned Loss Model � Dataset Gradients of all layers Specialized Dataset 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework

Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework

Deep Learning With Differential Privacy Presenter: Xiaojun Xu Deep Learning Framework Autonomous Driving Gaming Face Recognition Healthcare Deep Learning Framework Dataset Server Model Privacy Issues of Training Data Dataset Server

366 views • 33 slides
DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan

DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan

DEEP LEARNING WITH DIFFERENTIAL PRIVACY Martin Abadi, Andy Chu, Ian Goodfellow*, Brendan McMahan, Ilya Mironov, Kunal Talwar, Li Zhang Google * Open AI 2 3 Deep Learning Fashion Cognitive tasks: speech, text, image recognition

787 views • 53 slides
TOWARDS CREATING A KNOWLEDGE GAP FOR DEEP LEARNING BASED MEDICAL IMAGE ANALYSIS Dr. S.

TOWARDS CREATING A KNOWLEDGE GAP FOR DEEP LEARNING BASED MEDICAL IMAGE ANALYSIS Dr. S.

TOWARDS CREATING A KNOWLEDGE GAP FOR DEEP LEARNING BASED MEDICAL IMAGE ANALYSIS Dr. S. Kevin Zhou, Chinese Academy of Sciences Deep learning Input Algorithm: Output image variable Deep network X Y Y = f(X; W) Learning: arg min W S

685 views • 36 slides
A Comprehensive Structure and Privacy Analysis of Tor Hidden Services Iskander Sanchez-Rola,

A Comprehensive Structure and Privacy Analysis of Tor Hidden Services Iskander Sanchez-Rola,

The Onions Have Eyes: A Comprehensive Structure and Privacy Analysis of Tor Hidden Services Iskander Sanchez-Rola, Davide Balzarotti, Igor Santos Tor Hidden Services Provides anonymity through the onion routing protocol Tor

958 views • 23 slides
How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The

How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The

How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The evolution of AI AI has evolved a lot over the last few years Speech Recognition Computer Vision Machine Translation Natural Language Processing

939 views • 54 slides
Sense Making in an IOT World: Sensor Data Analysis with Deep Learning Natalia Vassilieva, PhD

Sense Making in an IOT World: Sensor Data Analysis with Deep Learning Natalia Vassilieva, PhD

GTC 2016 Sense Making in an IOT World: Sensor Data Analysis with Deep Learning Natalia Vassilieva, PhD Senior Research Manager Deep learning proof points as of today Vision Speech Text Other Search & information Interactive voice

351 views • 33 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
When Harmonic Analysis Meets Machine Learning: Lipschitz Analysis of Deep Convolution Networks

When Harmonic Analysis Meets Machine Learning: Lipschitz Analysis of Deep Convolution Networks

When Harmonic Analysis Meets Machine Learning: Lipschitz Analysis of Deep Convolution Networks Radu Balan Department of Mathematics, AMSC, CSCAMM and NWC University of Maryland, College Park, MD Joint work with Dongmian Zou (UMD), Maneesh Singh

771 views • 59 slides
DeepType: On-Device Deep Learning for Input Personalization Service with Minimal Privacy Concern

DeepType: On-Device Deep Learning for Input Personalization Service with Minimal Privacy Concern

DeepType: On-Device Deep Learning for Input Personalization Service with Minimal Privacy Concern Mengwei Xu 1 , Feng Qian 2 , Qiaozhu Mei 3 Kang Huang 4 , Xuanzhe Liu 1 , Yun Ma 1 1 Peking University, 2 University of Minnesota, 3 University of

293 views • 26 slides
Deep Learning in Pulmonary Image Analysis with Incomplete Training Samples Ziyue Xu, Staff

Deep Learning in Pulmonary Image Analysis with Incomplete Training Samples Ziyue Xu, Staff

Deep Learning in Pulmonary Image Analysis with Incomplete Training Samples Ziyue Xu, Staff Scientist, National Institutes of Health Nov. 2nd, 2017 (GTC DC Talk DC7137) Image Analysis Arguably the most successful application of deep

469 views • 18 slides
Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Deep 3D Representation Learning for Visual Computing Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms Conclusion 2 Outline Overview of 3D deep learning Background 3D deep learning tasks 3D deep

1.66k views • 122 slides
Natural Language Processing with Deep Learning Sentiment Analysis with Machine Learning Navid

Natural Language Processing with Deep Learning Sentiment Analysis with Machine Learning Navid

Natural Language Processing with Deep Learning Sentiment Analysis with Machine Learning Navid Rekab-Saz navid.rekabsaz@jku.at Institute of Computational Perception Agenda Introduction to Machine Learning Sentiment Analysis

844 views • 53 slides
ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP

ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP

ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP LEARNING EVERYWHERE INTERNET & CLOUD MEDICINE & BIOLOGY MEDIA & ENTERTAINMENT SECURITY & DEFENSE AUTONOMOUS MACHINES Image

307 views • 26 slides
Deep Transfer Learning for Visual Analysis Yu-Chiang Frank Wang, Associate Professor Dept.

Deep Transfer Learning for Visual Analysis Yu-Chiang Frank Wang, Associate Professor Dept.

Deep Transfer Learning for Visual Analysis Yu-Chiang Frank Wang, Associate Professor Dept. Electrical Engineering, National Taiwan University Taipei, Taiwan 2018/5/19 2 nd AII Workshop Trends of Deep Learning 2 Transfer Learning: What, When,

617 views • 40 slides
Deep Learning for Text analysis Jan Platos 2018-09-09 Table of Contents Natural Language

Deep Learning for Text analysis Jan Platos 2018-09-09 Table of Contents Natural Language

Deep Learning for Text analysis Jan Platos 2018-09-09 Table of Contents Natural Language Processing Human Language Properties Deep Learning in NLP Representation of the meaning of a word Word2vec Language Modeling n-Gram Language model

841 views • 73 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec SSL/TLS EAP

899 views • 56 slides
DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids

DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids

DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids Cyber-Physical Infrastructures Hui Lin 1 , Jianing Zhuang 1 , Yih-Chun Hu 2 , Huayu Zhou 1 1 University of Nevada, Reno 2 University of Illinois,

574 views • 33 slides
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1 , I. Cervesato 2 , A. D. Jaggard 3 , A. Scedrov 4 , and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon University - Qatar, 3 Tulane

370 views • 18 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth Frog Needham-Schroeder

Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth Frog Needham-Schroeder

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 8 November, 2012 Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth Frog Needham-Schroeder Kerberos

477 views • 10 slides
Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

CSS441 Introduction Concepts Architecture Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

678 views • 23 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
De-anonymizing Data CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 2 : 590.03 Fall 12

De-anonymizing Data CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 2 : 590.03 Fall 12

Source (http://xkcd.org/834/) De-anonymizing Data CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 2 : 590.03 Fall 12 1 Announcements Project ideas will be posted on the site by Friday. You are welcome to send me (or talk to

763 views • 65 slides

More recommend