Research On Defense Technology For Membership Inference Attack

With the rapid development of machine learning,medical treatment,payment,social networking and so on are widely used in people’s daily life.Artificial intelligence can be seen everywhere in the world.However,the rapid development of artificial intelligence has also brought some problems of data security and data privacy.In recent years,there have been many large-scale user data privacy security problems,and membership inference attack is one of them.This attack can make the attacker infer the privacy of machine learning participants by using a series of attack means while using the service.In recent years,researchers have also put forward many advanced papers to defend against membership inference attacks.However,the existing research results still have two deficiencies in the balance between safety and model accuracy.On the other hand,under the existing research that ensures that the model can defend against membership inference attacks,most of them will lose the accuracy of the model or the confidence of prediction.On the other hand,in the research of defense schemes that can ensure the accuracy of the model is not damaged,the attacking enemy is set as a"single" attacker.The enemy only strictly uses an attack strategy.However,in the actual situation,the enemy can easily use a variety of membership inference attack methods to complete the attack on the model.Unfortunately,these methods without loss of accuracy can not well defend against a variety of attacks.Therefore,it is of great significance and value to study a general membership inference defense method that can defend against a variety of attacks without losing the accuracy of machine learning service model.To solve the above problems,the thesis makes an in-depth study on the inference attack of defense members,and puts forward two defense route schemes,which are fused:（1）The optimized iterative data mixing is used to enhance the training defense scheme.The scheme ensures that the defense members Under the premise of inference attack,it solves the problem that the existing scheme can not defend against multiple membership inference attack methods.with The scheme does not need to know the privacy data distribution of the defender in advance,and can be increased during the implementation of the scheme.The comparative analysis of efficiency shows that the scheme can ensure the defense Under the premise of attack,it has advantages in performance and efficiency.（2）Soft label training defense scheme using label smoothing.The scheme has requirements on training accuracy.The model can avoid the loss of accuracy in membership inference defense training,and enhance the push of defense members The ability to manage attacks improves the practical value of the scheme.Finally,the scheme is proved by experimental comparison.It has advantages and moderate computing overhead.