Efficient Membership Inference Attacks Method In Machine Learning Models

In recent years,the development of machine learning technology has brought great convenience to people's lives.For example,Amazon recommends favorite products based on the user's historical purchase record;Baidu collects user geographic location data and provides advertising services based on geographic location information.Etc.Data is required for training in these services,but recent research indicates that the model carries the risk of revealing user privacy.Our research Membership inference on the attack,which is an attack model that determines whether the user's data is used for the target machine learning training.The existing membership inference attacks that there is a large amount of noise in the data of the attack synthesis,and the algorithm research of the simulation target model is lacking,and the research on the attack plan against member speculation is lacking.Given a large amount of noise in the synthesized data,we design the OPTICS algorithm and the NDSMOTE data expansion algorithm to restore the original training samples accurately under a small number of a priori assumptions.In the absence of a priori assumptions for the simulation target model,we design and improve the generation of the anti-network simulation target model,which can accurately restore the attacked model without knowing the target model parameters.Given the problem of leaking data privacy in the target model,we propose to reduce the category vector,use the regular term to alleviate the over-fitting,and use differential privacy mitigation to resist membership inference attacks.Based on the research work of Stacey et al.,we examined the performance of the F1 score indicator of the attack model on each data set.Which using the data collection of Purchases,Hospital,MNIST,CIFAR-10.Under the premise of experimental hypothesis A,the optimal performance of F1 score on the Purchase data set is 0.884,and the optimal performance of F1 score on the Hospital data set is 0.691.The optimal F1 score on the CIFAR-10 data set is 0.872,and the optimal performance of F1 score on the MNIST data set is 0.834.Under the premise of the experimental hypothesis B,the optimal performance of the attack method proposed by F1 score on the Purchaser is 0.726,and the most accurate F1 score on the Hospital data set is 0.627.The optimal performance of F1 score on the CIFAR-10 data set is 0.771,and the optimal performance of F1 score on the MNIST data set is 0.643.Experiments prove that our proposed membership inference attacks algorithm is effective and extensive on real data sets.