Research Of Membership Inference Attack Against Machine Learning Based On Shadow Model

In recent years,with researchers’ in-depth exploration and improvement of machine learning theory,machine learning has achieved remarkable research results in many fields,such as Natural Language Processing and Computer Vision.Many commercial companies are applying machine learning techniques to improve the quality and efficiency of their services.However,many scientific studies and confirmed cases have shown that the privacy leakage of training data in machine learning is very prominent and poses a significant challenge to users’ privacy and data security.In this paper,we focus on an attack that threatens the privacy security of machine learning training data-membership inference attack.For instance,the determining whether a given data is used for machine learning model training.Membership inference attacks against machine learning models have attracted much attention from researchers.Based on whether a binary attack model is constructed,membership inference attack methods can be classified into two categories:attack schemes based on shadow modeling techniques and metric-based attack schemes.Unlike metric-based schemes,shadow model-based schemes are not limited to specific target models,such as overfitting models.As long as the shadow model simulates the target model well enough,then the attack model can be effectively attacked.However,in the existing shadow model-based attack schemes,the shadow model’s training needs a large amount of prior knowledge.The realistic scenario is closer to the black-box scenario,and the attacker may have only a small amount of relevant information,which is insufficient to support the training of shadow models.Therefore it is more relevant to use shadow modeling techniques to launch member inference attacks and obtain high accuracy in black box scenarios.Based on realistic scenarios,this paper focuses on how to train shadow models and improve the accuracy of membership inference attacks under black-box access restrictions from the perspectives of shadow model training sets and shadow model training methods.The results achieved during the research are as follows.1.To address the challenge that the shadow model training data is insufficient to support the training under the black-box access scenario of the target model,this paper proposes a VAE-GAN-based data synthesis framework to expand the training set of the shadow model.The framework creates a training set for the shadow model with a limited number of samples and maintains a similar distribution to the target model training set as much as possible so that the attack model can better learn the difference between model prediction behavior in the training and non-training sets.Experimental results show that the method proposed in this paper can improve the efficiency and attack accuracy of synthetic shadow model training data and is analyzed and compared with the work of other researchers.2.For the black-box access scenario where the information related to the target model is unknown and the prediction ability of the target model is exploited,this paper imitates the adversarial training approach of GAN by using the shadow model as the generator part of GAN,the shadow model as false for the data prediction vector,the target model as accurate for the data prediction vector,and the discriminator is used to identify the truth and falsity of the prediction vector,and the discriminator and the shadow model are trained in an adversarial manner.This method trains the shadow model to improve the simulation of the target model in the black-box access scenario.Experimental results show that the proposed method in this paper can effectively simulate the predictive behavior of the target model and is compared with the work of other researchers.In this paper,other factors affecting the method’s accuracy are experimentally investigated.3.To address the lack of a system for visualizing and processing the operation of member inference attack in existing research,this paper designs and implements a member inference attack system based on the above algorithm,which mainly contains data generation,shadow model training,attack model training,and attack candidate data,and verifies the usability of the system through system testing.The results show that the system can visualize and process the machine learning model for the membership inference attack.