Research On Membership Inference Attack Defense Method Based On Sample Vulnerability

Nowadays,the performance of machine learning models has reached a fairly high level,and the privacy and security issues of model data have gradually been paid attention to.Attacks against machine learning models can effectively steal sensitive information of models,and membership inference attack is a typical attack.Attackers launch membership inference attack on the target model to determine whether a specific sample is in the training set of the target model,which poses a serious threat to the privacy and security of model training data.The membership privacy protection method reduces the risk of leakage of member ship privacy information by modifying the sensitive information contained in the model’s output vector,but at the same time it inevitably reduces the usability of the model.Existing membership privacy protection methods adopt the same method and strength to defend all samples introduces excessive noise into the model,which greatly reduces the usability of the model.This problem is especially prominent in the context of protecting models with high generalization.Therefore,how to analyze the vulnerability of samples in the face of membership inference attack and conduct adaptive privacy protection according to the vulnerability of the samples has become an urgent problem to be solved.Inspired by the vulnerable sample selection attack proposed by Long et al,this dissertation exploratively analyzes the vulnerability of different samples to membership inference attack and improves two different types of membership privacy protection methods based on the sample vulnerability analysis method.The main research contents of this dissertation are as follows:(1)A method to measure the uniqueness of the influence of training samples on the target model is proposed.By analyzing the influence differences of different samples on the model parameters in the process of model training,the training samples that have a unique impact on the model are found.Then the relationship between the unique degree of the impact of member samples on the model and its vulnerability in the face of member reasoning attack is analyzed.(2)Aiming at the problem that the published model trained by the DMP(Distillation for Membership Privacy)defense method has a large difference in utility from the unprotected model,the vulnerable sample analysis method is used to optimize it.According to the vulnerability of the training samples,we select some features of the training samples for replacement and constrain the similarity of the influence between the features of each set of replacement sample and the sample to be replaced on the model,to ensure the privacy and security of the model and reduce the difference in utility between the published model and the unprotected model.(3)Aiming at the problem that the Mem Guard defense method introduces excessive redundant noise while protecting the privacy and security of the model,the sample vulnerability analysis method is used to optimize it.By measuring the uniqueness of the potential impact of the input sample on the target model,it analyzes the difficulty of the sample being successfully inferred by the attacker,so as to filter the redundant noise and reduce the total amount of noise introduced.Through comparative experiments,this dissertation confirmes that the sample vulnerability analysis method can effectively find the vulnerable samples in the model training set and verifies that adaptively adjusting the protection strength of DMP and Mem Guard according to the vulnerability of the samples can achieve a better balance between the privacy and security of the model and model usability.