The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Bilangan perkhidmatan IT yang menggunakan algoritma pembelajaran mesin (ML) berkembang secara berterusan dan pesat, manakala kebanyakannya digunakan dalam amalan untuk membuat beberapa jenis ramalan daripada data peribadi. Tidak menghairankan, disebabkan ledakan mendadak dalam ML ini, cara data peribadi dikendalikan dalam sistem ML mula menimbulkan kebimbangan privasi yang serius yang sebelum ini tidak diambil kira. Baru-baru ini, Fredrikson et al. [USENIX 2014] [CCS 2015] mencadangkan serangan baru terhadap sistem ML yang dipanggil serangan penyongsangan model yang bertujuan untuk membuat kesimpulan sensitif nilai atribut pengguna sasaran. Dalam kerja mereka, untuk serangan penyongsangan model berjaya, musuh dikehendaki mendapatkan dua jenis maklumat mengenai pengguna sasaran sebelum serangan: nilai output (iaitu, ramalan) sistem ML dan semua tidak sensitif nilai yang digunakan untuk mempelajari output. Oleh itu, walaupun serangan itu menimbulkan kebimbangan privasi baharu, memandangkan musuh dikehendaki mengetahui semua nilai tidak sensitif terlebih dahulu, ia tidak jelas sepenuhnya berapa banyak risiko yang ditanggung oleh serangan itu. Khususnya, walaupun pengguna mungkin menganggap nilai ini sebagai tidak sensitif, mungkin sukar bagi pihak lawan untuk mendapatkan semua nilai atribut tidak sensitif sebelum serangan, justeru menjadikan serangan itu tidak sah. Matlamat kertas ini adalah untuk mengukur risiko serangan penyongsangan model dalam kes apabila atribut tidak sensitif pengguna sasaran tidak tersedia kepada musuh. Untuk tujuan ini, kami mula-mula mencadangkan rangka kerja penyongsangan model umum (GMI), yang memodelkan jumlah maklumat tambahan yang tersedia kepada musuh. Rangka kerja kami menangkap serangan penyongsangan model Fredrikson et al. sebagai kes khas, sambil juga menangkap serangan penyongsangan model yang menyimpulkan atribut sensitif tanpa pengetahuan tentang atribut tidak sensitif. Untuk serangan terakhir, kami menyediakan metodologi umum tentang cara kami boleh membuat kesimpulan atribut sensitif pengguna sasaran tanpa pengetahuan tentang atribut tidak sensitif. Pada tahap yang tinggi, kami menggunakan paradigma keracunan data dengan cara yang baru dari segi konsep dan menyuntik data berniat jahat ke dalam sistem ML untuk mengubah suai model ML dalaman yang digunakan menjadi sasaran model ML; jenis khas model ML yang membolehkan seseorang melakukan serangan penyongsangan model tanpa pengetahuan tentang sifat tidak sensitif. Akhir sekali, mengikut metodologi umum kami, kami menghantar sistem ML yang secara dalaman menggunakan model regresi linear ke dalam rangka kerja GMI kami dan mencadangkan algoritma konkrit untuk serangan penyongsangan model yang tidak memerlukan pengetahuan tentang sifat tidak sensitif. Kami menunjukkan keberkesanan serangan penyongsangan model kami melalui penilaian percubaan menggunakan dua set data sebenar.
Seira HIDANO
KDDI Research, Inc.
Takao MURAKAMI
National Institute of Advanced Industrial Science and Technology (AIST)
Shuichi KATSUMATA
National Institute of Advanced Industrial Science and Technology (AIST),University of Tokyo
Shinsaku KIYOMOTO
KDDI Research, Inc.
Goichiro HANAOKA
National Institute of Advanced Industrial Science and Technology (AIST)
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Seira HIDANO, Takao MURAKAMI, Shuichi KATSUMATA, Shinsaku KIYOMOTO, Goichiro HANAOKA, "Model Inversion Attacks for Online Prediction Systems: Without Knowledge of Non-Sensitive Attributes" in IEICE TRANSACTIONS on Information,
vol. E101-D, no. 11, pp. 2665-2676, November 2018, doi: 10.1587/transinf.2017ICP0013.
Abstract: The number of IT services that use machine learning (ML) algorithms are continuously and rapidly growing, while many of them are used in practice to make some type of predictions from personal data. Not surprisingly, due to this sudden boom in ML, the way personal data are handled in ML systems are starting to raise serious privacy concerns that were previously unconsidered. Recently, Fredrikson et al. [USENIX 2014] [CCS 2015] proposed a novel attack against ML systems called the model inversion attack that aims to infer sensitive attribute values of a target user. In their work, for the model inversion attack to be successful, the adversary is required to obtain two types of information concerning the target user prior to the attack: the output value (i.e., prediction) of the ML system and all of the non-sensitive values used to learn the output. Therefore, although the attack does raise new privacy concerns, since the adversary is required to know all of the non-sensitive values in advance, it is not completely clear how much risk is incurred by the attack. In particular, even though the users may regard these values as non-sensitive, it may be difficult for the adversary to obtain all of the non-sensitive attribute values prior to the attack, hence making the attack invalid. The goal of this paper is to quantify the risk of model inversion attacks in the case when non-sensitive attributes of a target user are not available to the adversary. To this end, we first propose a general model inversion (GMI) framework, which models the amount of auxiliary information available to the adversary. Our framework captures the model inversion attack of Fredrikson et al. as a special case, while also capturing model inversion attacks that infer sensitive attributes without the knowledge of non-sensitive attributes. For the latter attack, we provide a general methodology on how we can infer sensitive attributes of a target user without knowledge of non-sensitive attributes. At a high level, we use the data poisoning paradigm in a conceptually novel way and inject malicious data into the ML system in order to modify the internal ML model being used into a target ML model; a special type of ML model which allows one to perform model inversion attacks without the knowledge of non-sensitive attributes. Finally, following our general methodology, we cast ML systems that internally use linear regression models into our GMI framework and propose a concrete algorithm for model inversion attacks that does not require knowledge of the non-sensitive attributes. We show the effectiveness of our model inversion attack through experimental evaluation using two real data sets.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2017ICP0013/_p
Salinan
@ARTICLE{e101-d_11_2665,
author={Seira HIDANO, Takao MURAKAMI, Shuichi KATSUMATA, Shinsaku KIYOMOTO, Goichiro HANAOKA, },
journal={IEICE TRANSACTIONS on Information},
title={Model Inversion Attacks for Online Prediction Systems: Without Knowledge of Non-Sensitive Attributes},
year={2018},
volume={E101-D},
number={11},
pages={2665-2676},
abstract={The number of IT services that use machine learning (ML) algorithms are continuously and rapidly growing, while many of them are used in practice to make some type of predictions from personal data. Not surprisingly, due to this sudden boom in ML, the way personal data are handled in ML systems are starting to raise serious privacy concerns that were previously unconsidered. Recently, Fredrikson et al. [USENIX 2014] [CCS 2015] proposed a novel attack against ML systems called the model inversion attack that aims to infer sensitive attribute values of a target user. In their work, for the model inversion attack to be successful, the adversary is required to obtain two types of information concerning the target user prior to the attack: the output value (i.e., prediction) of the ML system and all of the non-sensitive values used to learn the output. Therefore, although the attack does raise new privacy concerns, since the adversary is required to know all of the non-sensitive values in advance, it is not completely clear how much risk is incurred by the attack. In particular, even though the users may regard these values as non-sensitive, it may be difficult for the adversary to obtain all of the non-sensitive attribute values prior to the attack, hence making the attack invalid. The goal of this paper is to quantify the risk of model inversion attacks in the case when non-sensitive attributes of a target user are not available to the adversary. To this end, we first propose a general model inversion (GMI) framework, which models the amount of auxiliary information available to the adversary. Our framework captures the model inversion attack of Fredrikson et al. as a special case, while also capturing model inversion attacks that infer sensitive attributes without the knowledge of non-sensitive attributes. For the latter attack, we provide a general methodology on how we can infer sensitive attributes of a target user without knowledge of non-sensitive attributes. At a high level, we use the data poisoning paradigm in a conceptually novel way and inject malicious data into the ML system in order to modify the internal ML model being used into a target ML model; a special type of ML model which allows one to perform model inversion attacks without the knowledge of non-sensitive attributes. Finally, following our general methodology, we cast ML systems that internally use linear regression models into our GMI framework and propose a concrete algorithm for model inversion attacks that does not require knowledge of the non-sensitive attributes. We show the effectiveness of our model inversion attack through experimental evaluation using two real data sets.},
keywords={},
doi={10.1587/transinf.2017ICP0013},
ISSN={1745-1361},
month={November},}
Salinan
TY - JOUR
TI - Model Inversion Attacks for Online Prediction Systems: Without Knowledge of Non-Sensitive Attributes
T2 - IEICE TRANSACTIONS on Information
SP - 2665
EP - 2676
AU - Seira HIDANO
AU - Takao MURAKAMI
AU - Shuichi KATSUMATA
AU - Shinsaku KIYOMOTO
AU - Goichiro HANAOKA
PY - 2018
DO - 10.1587/transinf.2017ICP0013
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E101-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2018
AB - The number of IT services that use machine learning (ML) algorithms are continuously and rapidly growing, while many of them are used in practice to make some type of predictions from personal data. Not surprisingly, due to this sudden boom in ML, the way personal data are handled in ML systems are starting to raise serious privacy concerns that were previously unconsidered. Recently, Fredrikson et al. [USENIX 2014] [CCS 2015] proposed a novel attack against ML systems called the model inversion attack that aims to infer sensitive attribute values of a target user. In their work, for the model inversion attack to be successful, the adversary is required to obtain two types of information concerning the target user prior to the attack: the output value (i.e., prediction) of the ML system and all of the non-sensitive values used to learn the output. Therefore, although the attack does raise new privacy concerns, since the adversary is required to know all of the non-sensitive values in advance, it is not completely clear how much risk is incurred by the attack. In particular, even though the users may regard these values as non-sensitive, it may be difficult for the adversary to obtain all of the non-sensitive attribute values prior to the attack, hence making the attack invalid. The goal of this paper is to quantify the risk of model inversion attacks in the case when non-sensitive attributes of a target user are not available to the adversary. To this end, we first propose a general model inversion (GMI) framework, which models the amount of auxiliary information available to the adversary. Our framework captures the model inversion attack of Fredrikson et al. as a special case, while also capturing model inversion attacks that infer sensitive attributes without the knowledge of non-sensitive attributes. For the latter attack, we provide a general methodology on how we can infer sensitive attributes of a target user without knowledge of non-sensitive attributes. At a high level, we use the data poisoning paradigm in a conceptually novel way and inject malicious data into the ML system in order to modify the internal ML model being used into a target ML model; a special type of ML model which allows one to perform model inversion attacks without the knowledge of non-sensitive attributes. Finally, following our general methodology, we cast ML systems that internally use linear regression models into our GMI framework and propose a concrete algorithm for model inversion attacks that does not require knowledge of the non-sensitive attributes. We show the effectiveness of our model inversion attack through experimental evaluation using two real data sets.
ER -