Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks
Membership inference (MI) attacks threaten user privacy through determining if a given data example has been used to train a target model. Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation. Unfortunately, using either of...
Saved in:
| Main Authors: | , , , , , , , , , , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
KeAi Communications Co., Ltd.
2025-01-01
|
| Series: | Journal of Information and Intelligence |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S2949715924000556 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850054873125486592 |
|---|---|
| author | Jun Niu Peng Liu Chunhui Huang Yangming Zhang Moxuan Zeng Kuo Shen Yangzhong Wang Suyu An Yulong Shen Xiaohong Jiang Jianfeng Ma He Wang Gaofei Wu Anmin Fu Chunjie Cao Xiaoyan Zhu Yuqing Zhang |
| author_facet | Jun Niu Peng Liu Chunhui Huang Yangming Zhang Moxuan Zeng Kuo Shen Yangzhong Wang Suyu An Yulong Shen Xiaohong Jiang Jianfeng Ma He Wang Gaofei Wu Anmin Fu Chunjie Cao Xiaoyan Zhu Yuqing Zhang |
| author_sort | Jun Niu |
| collection | DOAJ |
| description | Membership inference (MI) attacks threaten user privacy through determining if a given data example has been used to train a target model. Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation. Unfortunately, using either of these two defenses alone, the defense effect can still offers an unsatisfactory trade-off between membership privacy and utility.Given that the defense method that directly combines these two defenses is still very limited (e.g., the test accuracy of the target model is decreased by about 40% (in our experiments)), in this work, we propose a dual defense (DD) method that includes the preemptive exclusion of high-risk member samples module and the knowledge distillation module, which thwarts the access of the resulting models to the private training data twice to mitigate MI attacks. Our defense method can be divided into two steps: the preemptive exclusion of high-risk member samples (Step 1) and the knowledge distillation to obtain the protected student model (Step 2). We propose three types of exclusions: existing MI attacks-based exclusions, sample distances of members and nonmembers-based exclusions, and mutual information value-based exclusions, to preemptively exclude the high-risk member samples. During the knowledge distillation phase, we add ground-truth labeled data to the reference dataset to decrease the protected student model's dependency on soft labels, aiming to maintain or improve its test accuracy. Extensive evaluation shows that DD significantly outperforms state-of-the-art defenses and offers a better privacy-utility trade-off. For example, DD achieves ∼100% test accuracy improvement over the distillation for membership privacy (DMP) defense for ResNet50 trained on CIFAR100. DD simultaneously achieves the reductions in the attack effectiveness (e.g., the TPR@0.01%FPR of enhanced MI attacks decreased by 2.10% on the ImageNet dataset, the membership advantage (MA) of risk score-based attacks decreased by 56.30%) and improvements of the target models' test accuracies (e.g., by 42.80% on CIFAR100). |
| format | Article |
| id | doaj-art-74bdb418416448f1bdc8d8df548175b9 |
| institution | DOAJ |
| issn | 2949-7159 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | KeAi Communications Co., Ltd. |
| record_format | Article |
| series | Journal of Information and Intelligence |
| spelling | doaj-art-74bdb418416448f1bdc8d8df548175b92025-08-20T02:52:08ZengKeAi Communications Co., Ltd.Journal of Information and Intelligence2949-71592025-01-0131689010.1016/j.jiixd.2024.06.002Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacksJun Niu0Peng Liu1Chunhui Huang2Yangming Zhang3Moxuan Zeng4Kuo Shen5Yangzhong Wang6Suyu An7Yulong Shen8Xiaohong Jiang9Jianfeng Ma10He Wang11Gaofei Wu12Anmin Fu13Chunjie Cao14Xiaoyan Zhu15Yuqing Zhang16School of Computer Science and Technology, Xidian University, Xi'an 710071, ChinaInformation Sciences and Technology, Pennsylvania State University, PA 16802, USASchool of Cyberspace Security, Hainan University, Haikou 570228, ChinaSchool of Cyberspace Security, Hainan University, Haikou 570228, ChinaSchool of Cyberspace Security, Hainan University, Haikou 570228, ChinaSchool of Computer Science and Technology, Xidian University, Xi'an 710071, China; Information Sciences and Technology, Pennsylvania State University, PA 16802, USA; School of Cyberspace Security, Hainan University, Haikou 570228, China; School of Hangzhou Institute of Technology, Xidian University, Hangzhou 311231, China; School of Systems Information Science, Future University of Hakodate, Hakodate 041-8655, Japan; School of Cyber Engineering, Xidian University, Xi'an 710071, China; School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China; School of Telecommunications Engineering, Xidian University, Xi'an 710071, China; School of Computer & Control Engineering, University of Chinese Academy of Sciences, Beijing 101408, ChinaSchool of Cyberspace Security, Hainan University, Haikou 570228, ChinaSchool of Cyberspace Security, Hainan University, Haikou 570228, ChinaSchool of Computer Science and Technology, Xidian University, Xi'an 710071, ChinaSchool of Systems Information Science, Future University of Hakodate, Hakodate 041-8655, JapanSchool of Computer Science and Technology, Xidian University, Xi'an 710071, China; Information Sciences and Technology, Pennsylvania State University, PA 16802, USA; School of Cyberspace Security, Hainan University, Haikou 570228, China; School of Hangzhou Institute of Technology, Xidian University, Hangzhou 311231, China; School of Systems Information Science, Future University of Hakodate, Hakodate 041-8655, Japan; School of Cyber Engineering, Xidian University, Xi'an 710071, China; School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China; School of Telecommunications Engineering, Xidian University, Xi'an 710071, China; School of Computer & Control Engineering, University of Chinese Academy of Sciences, Beijing 101408, ChinaSchool of Computer Science and Technology, Xidian University, Xi'an 710071, China; Information Sciences and Technology, Pennsylvania State University, PA 16802, USA; School of Cyberspace Security, Hainan University, Haikou 570228, China; School of Hangzhou Institute of Technology, Xidian University, Hangzhou 311231, China; School of Systems Information Science, Future University of Hakodate, Hakodate 041-8655, Japan; School of Cyber Engineering, Xidian University, Xi'an 710071, China; School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China; School of Telecommunications Engineering, Xidian University, Xi'an 710071, China; School of Computer & Control Engineering, University of Chinese Academy of Sciences, Beijing 101408, ChinaSchool of Computer Science and Technology, Xidian University, Xi'an 710071, China; Information Sciences and Technology, Pennsylvania State University, PA 16802, USA; School of Cyberspace Security, Hainan University, Haikou 570228, China; School of Hangzhou Institute of Technology, Xidian University, Hangzhou 311231, China; School of Systems Information Science, Future University of Hakodate, Hakodate 041-8655, Japan; School of Cyber Engineering, Xidian University, Xi'an 710071, China; School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China; School of Telecommunications Engineering, Xidian University, Xi'an 710071, China; School of Computer & Control Engineering, University of Chinese Academy of Sciences, Beijing 101408, ChinaSchool of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, ChinaSchool of Cyberspace Security, Hainan University, Haikou 570228, ChinaCorresponding authors.; School of Computer Science and Technology, Xidian University, Xi'an 710071, China; Information Sciences and Technology, Pennsylvania State University, PA 16802, USA; School of Cyberspace Security, Hainan University, Haikou 570228, China; School of Hangzhou Institute of Technology, Xidian University, Hangzhou 311231, China; School of Systems Information Science, Future University of Hakodate, Hakodate 041-8655, Japan; School of Cyber Engineering, Xidian University, Xi'an 710071, China; School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China; School of Telecommunications Engineering, Xidian University, Xi'an 710071, China; School of Computer & Control Engineering, University of Chinese Academy of Sciences, Beijing 101408, ChinaSchool of Computer & Control Engineering, University of Chinese Academy of Sciences, Beijing 101408, China; Corresponding authors.Membership inference (MI) attacks threaten user privacy through determining if a given data example has been used to train a target model. Existing MI defenses protect the membership privacy through preemptive exclusion of members techniques and knowledge distillation. Unfortunately, using either of these two defenses alone, the defense effect can still offers an unsatisfactory trade-off between membership privacy and utility.Given that the defense method that directly combines these two defenses is still very limited (e.g., the test accuracy of the target model is decreased by about 40% (in our experiments)), in this work, we propose a dual defense (DD) method that includes the preemptive exclusion of high-risk member samples module and the knowledge distillation module, which thwarts the access of the resulting models to the private training data twice to mitigate MI attacks. Our defense method can be divided into two steps: the preemptive exclusion of high-risk member samples (Step 1) and the knowledge distillation to obtain the protected student model (Step 2). We propose three types of exclusions: existing MI attacks-based exclusions, sample distances of members and nonmembers-based exclusions, and mutual information value-based exclusions, to preemptively exclude the high-risk member samples. During the knowledge distillation phase, we add ground-truth labeled data to the reference dataset to decrease the protected student model's dependency on soft labels, aiming to maintain or improve its test accuracy. Extensive evaluation shows that DD significantly outperforms state-of-the-art defenses and offers a better privacy-utility trade-off. For example, DD achieves ∼100% test accuracy improvement over the distillation for membership privacy (DMP) defense for ResNet50 trained on CIFAR100. DD simultaneously achieves the reductions in the attack effectiveness (e.g., the TPR@0.01%FPR of enhanced MI attacks decreased by 2.10% on the ImageNet dataset, the membership advantage (MA) of risk score-based attacks decreased by 56.30%) and improvements of the target models' test accuracies (e.g., by 42.80% on CIFAR100).http://www.sciencedirect.com/science/article/pii/S2949715924000556Machine learningMembership inference defensesPreemptive exclusionKnowledge distillation |
| spellingShingle | Jun Niu Peng Liu Chunhui Huang Yangming Zhang Moxuan Zeng Kuo Shen Yangzhong Wang Suyu An Yulong Shen Xiaohong Jiang Jianfeng Ma He Wang Gaofei Wu Anmin Fu Chunjie Cao Xiaoyan Zhu Yuqing Zhang Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks Journal of Information and Intelligence Machine learning Membership inference defenses Preemptive exclusion Knowledge distillation |
| title | Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks |
| title_full | Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks |
| title_fullStr | Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks |
| title_full_unstemmed | Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks |
| title_short | Dual defense: Combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks |
| title_sort | dual defense combining preemptive exclusion of members and knowledge distillation to mitigate membership inference attacks |
| topic | Machine learning Membership inference defenses Preemptive exclusion Knowledge distillation |
| url | http://www.sciencedirect.com/science/article/pii/S2949715924000556 |
| work_keys_str_mv | AT junniu dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT pengliu dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT chunhuihuang dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT yangmingzhang dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT moxuanzeng dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT kuoshen dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT yangzhongwang dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT suyuan dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT yulongshen dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT xiaohongjiang dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT jianfengma dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT hewang dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT gaofeiwu dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT anminfu dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT chunjiecao dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT xiaoyanzhu dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks AT yuqingzhang dualdefensecombiningpreemptiveexclusionofmembersandknowledgedistillationtomitigatemembershipinferenceattacks |