DeepAI
Log In Sign Up

DAMIA: Leveraging Domain Adaptation as a Defense against Membership Inference Attacks

05/16/2020
by   Hongwei Huang, et al.
4

Deep Learning (DL) techniques allow ones to train models from a dataset to solve tasks. DL has attracted much interest given its fancy performance and potential market value, while security issues are amongst the most colossal concerns. However, the DL models may be prone to the membership inference attack, where an attacker determines whether a given sample is from the training dataset. Efforts have been made to hinder the attack but unfortunately, they may lead to a major overhead or impaired usability. In this paper, we propose and implement DAMIA, leveraging Domain Adaptation (DA) as a defense aginist membership inference attacks. Our observation is that during the training process, DA obfuscates the dataset to be protected using another related dataset, and derives a model that underlyingly extracts the features from both datasets. Seeing that the model is obfuscated, membership inference fails, while the extracted features provide supports for usability. Extensive experiments have been conducted to validates our intuition. The model trained by DAMIA has a negligible footprint to the usability. Our experiment also excludes factors that may hinder the performance of DAMIA, providing a potential guideline to vendors and researchers to benefit from our solution in a timely manner.

READ FULL TEXT VIEW PDF

page 5

page 11

page 13

01/12/2020

Membership Inference Attacks Against Object Detection Models

Machine learning models can leak information about the dataset they trai...
05/08/2020

Defending Model Inversion and Membership Inference Attacks via Prediction Purification

Neural networks are susceptible to data inference attacks such as the mo...
03/12/2021

On the (In)Feasibility of Attribute Inference Attacks on Machine Learning Models

With an increase in low-cost machine learning APIs, advanced machine lea...
09/23/2019

MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples

In a membership inference attack, an attacker aims to infer whether a da...
06/27/2019

Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference

Membership inference (MI) attacks exploit a learned model's lack of gene...
12/10/2021

Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models

Deep learning (DL) models, especially those large-scale and high-perform...
07/11/2022

A Secure Fingerprinting Framework for Distributed Image Classification

The deep learning (DL) technology has been widely used for image classif...

1 Introduction

Deep Learning (DL) is a subfield of machine learning, and it is inspired by the working of human brains in data processing. Specifically, DL forms a mathematical model based on sample data, i.e., the training data, and progressively extracts higher level features from sample data, based on which the model can make decisions without human’s involvement. Due to the fancy performance, DL has been widely adopted in a large range of domains, including image classification [24, 19] object recognition [27], person re-identification [16], and disease prediction [20]

. As an illustration of such a trend, the market of DL is booming and estimated to hit USD 7.2 billion during 2020-2024, according to the statistics from Technavio

[36].

While DL is penetrating the academia and industry, its explosive growth and huge potential also attract cybercriminals, bringing the rampant security issues against the DL community. In general, the model may be publicly accessible, while training data, as well as the properties of training data, are considered confidential. Therefore, extracting the training samples and the related information via the model is a violation of the security setting in DL, which has been widely discussed in previous efforts [4, 32, 6, 29]. Among the attacks, the membership inference attack, which was proposed by Shokri et al. [32], has attracted a lot of recent attention [28, 3, 17]. In this attack, the attacker may craft a malicious inference model based on predictions of a victim model. Due to the fact that a model has a better performance when a sample is from the original training dataset, the attacker may use the inference model to determine if a sample is from the training dataset of a victim model.

A model without any capability against membership inference attacks may lead to grave consequences, in that the DL models are adopted on large-dimension (and potentially sensitive) user dataset. For example, Pyrgelis et al. [28] present that membership inference is feasible on aggregate location data in real-world settings, where the attacker can reveals a user’s locations and actively traces the user. Chen et al. [3] deploy membership attacks against medical records, and the involved patients may be plagued by disease discrimination issues. Further, training data leakage may spawn pecuniary losses or even legal disputes for enterprises. According to GDPR (General Data Protection Regulation) [41], vendors now are forced to protect user privacy, and violations of GDPR may be imposed a penalty up to 20 million euros, or 4% of the offender’s global turnover of the preceding fiscal year.

Efforts have been made to counter membership inference attacks, while they are plagued by either heavily overhead or hindered usability. These efforts can be categorized into three groups: () regularization-based defenses; () adversarial-attack based defenses; () differential-privacy-based defenses. Regularization-based defenses adapt regularization techniques to design countermeasures; however, it may lead to heavy overhead when complex regularization techniques are adapted. For example, Salem et al. [30] demonstrate that ensemble learning (a regularization technique) can be adapted to counter against membership inference attack, but multiple types of ML models are required, which brings significant training and storage costs. Adversarial-attack-based defenses utilize adversarial examples [8] to obfuscate the membership inference attack model, but the defenses require extra efforts in finding proper perturbations. For instance, Jia et al. [13] propose a defense called MemGuard to modify the outputs of the victim model into adversarial examples, but a model mimicking the attacker is required to assist finding perturbations, which is time consuming. Differential-Privacy-based defenses adopt differential privacy to add noises during model training to thwart the attacks. However, the usability of the model is also impaired as discussed in [28, 12].

It can be observed from these previous works [28, 12] that to counter against membership inference attack, one conventional wisdom is to introduce perturbations or noises. However, those newly introduced perturbations/noises also downgrade the usability of the model. Therefore, exploring a solution that may bridge the gap between usability and security is a vital challenge. In this paper, we leverage Domain Adaptation (DA) to build a defense in defending membership inference attacks. DA allows knowledge to be transferred from a source domain to a different (but related) target domain. For example, DA may utilize images dataset of cats and dogs collected from Instagram (i.e., source domain) to solve new tasks such as categorizing pictures of cats and dogs clipped from animation movies (i.e., target domain). To this end, DA may train a shared representation (in our context, a shared representation is learned by a model) from the dataset in the source domain and the dataset in the target domain, and the shared representation shares the underlying common features of the two datasets. Our observation is that the two datasets are mixed and obfuscated when DA is adopted. Intuitively, if the sensitive dataset is in the target domain, we can find a different but related dataset in a source domain, and leverage DA to obfuscate the sensitive dataset. In such a way, membership inference attacks fail while the newly generated shared representation may also have a good performance in solving tasks requiring a sensitive dataset since the shared representation contains the features from the sensitive dataset. Also, the overhead of our defense is slight to none, in that there are no extra phases/algorithms that are involved in the model once it has released.

To validate our intuition, we design and implement DAMIA 111Damia is a Greek goddess who brings the fertility of the soil, and we hope our DAMIA also brings the “fertility” of DL community by mitigating the membership inference attacks. , leveraging Domain Adaptation (DA) as a defense to counter membership inference attacks. We conduct extensive experiments to benchmark a balance where membership inference attacks are defended while the usability of the model is not affected. In terms of that, multiple metrics have been evaluated, including the effectiveness, accuracy and various other metrics. Of all the metrics, we also design a few novel metrics, which greatly outlines the capability of DAMIA. According to our experiments, while settings may vary, our defense always has a good performance in defending the membership inference attacks. Specifically, the success rate of an attacker is close to 50%, which is roughly equivalent to a random guess. However, with higher similarity between the source dataset and the sensitive dataset, the accuracy of the model (i.e., the usability) shall be significantly boosted. Given that, we argue that our defense will not hinder the usability of the original model and has negligible fingerprints.

Contributions Our paper makes the following contributions:

  • We propose that DA is feasible to be leveraged against membership inference attacks. To our best known, we are the first to adopt DA in the domain of defending membership inference attacks.

  • We design and implement DAMIA (i.e., Domain Adaptation against Membership Inference Attacks). Our experiment shows that DAMIA is capable of defending against membership inference attacks with high performance up to 50%, which is roughly equivalent to a random guess.

  • We design a few metrics that can measure a model’s capability of defending against membership attacks. We believe some of the metrics can better reflect the capability when compared with the legacy ones.

  • We further investigate a few factors that may affect our results in terms of accuracy. Our attempts may also bring benefits and values for vendors and researchers that have interests in adopting our defense, in that we excluded a few factors that may impair the usability of our defense.

Roadmap: The rest of the paper is organized as follows. In Section 2, we provide background on membership inference attacks and domain adaptation. In Section 3 we define the threat model and represent the insight and the design of DAMIA. In Section 4 we evaluate the effectiveness and various other metrics of DAMIA, and we also explore factors of the source domain that affect the accuracy of DAMIA. In Section 5, we present related works and conclude the paper in Section 6.

2 Background

This section introduces background knowledge including the membership inference attack and domain adaptation.

2.1 Membership Inference Attacks

Membership inference attack is a type of attack against deep learning models, which can be deployed to determine whether a sample is from the training set of a victim model. The basic idea of the attack is that the information exposed by the model contains the abundant information of the training data, based on which an attacker may perform membership inferences. Theoretically, all characteristics of the victim model such as activation values, affine outputs, gradients or even the model’s transparency report, can be utilized by attackers to deploy the attack [21, 31, 30]. Given that most of the above characteristics are not publicly accessible, attackers may solely rely on the outputs of the model to deploy the attack in practice.

Mathematically, a victim DL model trained on a dataset , which handles a classification task, categorizing all its inputs into categories. Any sample fed into will result in an output , where

is the confidence score, indicating the probability of being a sample of the category

. To deploy the membership inference attack, an attacker may train a binary classifier

to determine whether a sample is from the training data .

A simple but efficient way to initiate a membership inference attack is to build a linear binary classifier using a confidence threshold as a decision boundary, which is selected based on extensive experiments. In particular, one may enumerate all possible confidence scores to find the , which can achieve the maximum accuracy of membership inference [45]. With , if the confidence score of a sample for a specific category () is higher than , will determine the sample as a member of the training set. Formally, the procedure can be defined as follows:

Noted that stands for member and stands for non-member.

Compared with other attacks such as model inversion [4, 44], the impact of membership inference attack is relatively minor. However, membership inference is easier to deploy and requires less information on the victim model compared with other attacks. Therefore, when an attacker attempts to compromise a model so as to derive the sensitive information, the membership inference attack is served as a “metric”, probing whether the model is potentially vulnerable. If the membership inference attack is possible, other attacks with higher severity can then be launched.

2.2 Domain Adaptation

Domain Adaptation (DA) is a branch of transfer learning

[25], aiming to address the issue of insufficient labeled training data. It utilizes the knowledge of one or more relevant source domains to conduct new tasks in a target domain. Mathematically, we denote a domain as , in which represents the feature space and

represents the margin probability distribution,

. A task on a specific domain is denoted as , where is the label space and is the target prediction function. Therefore, a source domain can be represented as , while a target domain can be represented as . Correspondingly, and are two tasks. The goal of DA is to leverage the latent knowledge from and to improve the performance of in , where . Please noted that in domain adaptation, . Basically, the approach achieves the knowledge transferring by driving the model to learn the shared representation of the source domain and target domain. Various approaches of DA have been introduced, which can be grouped into three categories [42], including discrepancy-based approaches, adversarial-based approaches and reconstruction-based approaches. We now elaborate on each category in detail:

Discrepancy-based Approaches. Discrepancy-based approaches assume that a shared representation of the source and target domain can be obtained by fine-tuning the DL model with labeled or unlabeled data. The approaches can be implemented in multiple ways, and as one of the popular criterion, statistic criterion using some mechanisms to align the statistical distribution shift between the source and target domains. For example, Tzeng et al. [39]

proposed deep domain confusion (DDC) by introducing Maximum Mean Discrepancy (MMD) to the loss function. Specifically, they add MMD into the loss function and regrade it as a metric to quantitatively measure the distance between domains. That is, a smaller enough MMD will reflect that the shared representation has been obtained by the model, and the goal during the training process is to minimize MMD. We give the definition of MMD as follows, please noted that

is a kernel function that maps inputs to a space of higher dimensionality:

Correspondingly, the loss function can be represented as follows:

Adversarial-based Approaches. Adversarial-based approaches construct the shared representation in an adversarial way [38, 1, 5]. Specifically, Generative Adversarial Learning (GAN) pit two networks against each other – known as the discriminator and the generator. Originally, the generator is trained to produce samples that may confuse the discriminator, so that the discriminator may fail to distinguish a generated sample and a sample from the genuine dataset. In Adversarial-based approaches, the principle is adopted to ensure that the discriminator cannot determine whether a sample is generated from a generator, or originally from the source/target domain, indicating the generator is capable of generating the shared representation.

Reconstruction-based Approaches. Reconstruction-based approaches construct the shared representation through a reconstruction process. That is, providing that a representation can be reconstructed into samples in both the source and target domains, the representation is considered as the one shared of the source and target domains. Similar to the generator in adversarial-based approaches, a model that can produce such a representation is the one of interest. For example, Ghifary et al. [7]

uses an autoencoder

[40] for domain adaptation, in which the encoder is for shared representation learning and a decoder is used to reconstruct the representation.

3 DAMIA: Domain Adaptation against Membership Inference Attacks

In this section, we first define our threat model. Afterwards, we shed light on the idea of DAMIA, in which we leverage DA as a defense against membership inference attacks.

3.1 Threat Model

DAMIA works under the scenario of MLaaS (Machine-Learning-as-a-Service) where a DL model is served to the public, and only the prediction APIs are exposed to users for feeding inputs. In such a scenario, users can collect the outputs (i.e., the prediction vectors) when the model finishes the processing, and the goal of DAMIA, as the name implies, is to defeat the membership inferring attacks.

Specifically, we make the following assumptions:

  1. We assume that the attacker has only black-box access to the victim model. That is, the only way an attacker can interact with the victim model is to invoke the prediction APIs and collect outputs from the victim model.

  2. We assume that the attacker knows the distribution that the training data of the victim model drawn from, meaning that an attacker may obtain all the possible values in the training data that the model trained on. However, given specific data, the attacker does not know whether they are in the training dataset. Note that this assumption is also made in most of the membership inference threat model [32, 45, 30].

  3. We assume that the attacker is not aware of the implementation of the target model, including the architecture, the training algorithm and the hyperparameters such learning rates. This is reasonable because other than the model, the underlying architecture as well as the hyperparameters are usually not public in practical.

  4. We further assume that the attacker has the ability to access the target domain as well as the source domain.

3.2 Insight and Design

Membership inference attacks are feasible due to the fact that the model may achieve a better performance when the input is from the training dataset, which is considered as sensitive. Therefore, a straightforward solution is to obfuscate the sensitive dataset, so that membership inference attacks against the sensitive dataset are not possible. However, a model is trained on an obfuscated dataset, may not achieve the same goal in a specific task as the sensitive dataset does. For example, categorizing pictures of cats and dogs clipped from animation movies may not be performed if the pictures of cats and dogs aforementioned were blurred during the training process. Therefore, exploring a solution that may bridge the gap between the original sensitive dataset and an obfuscated dataset in terms of balancing usability and security is a vital challenge.

Fig. 1: Workflow of DAMIA.

In this paper, we propose DAMIA, i.e., Domain Adaptation against Membership Inference Attacks. As the name implies, DAMIA adopts the Domain Adaptation as the core engine of our solution. Our intuition is that Domain Adaptation can generate a shared representation (i.e., a model) of a source domain and a target domain, where the sensitive dataset belongs to the target domain, and the other dataset from source domain is provided to obfuscate the sensitive data set. As a consequence, the shared representation should have good support in defending membership inference attack against a sensitive dataset, since the sensitive dataset is obfuscated during the training process. Meanwhile, the extracted shared representation can also be used to solve tasks that require the use of the sensitive dataset, which has been widely discussed in [38, 1, 5].

Figure 1 illustrates the workflow, which includes the flowing steps:

  1. Domain adaptation requires one dataset from the source domain and one dataset from the target domain. Initially, only the sensitive data is given, and the domain that the sensitive dataset belongs to is now referred to the target domain. For example, the sensitive dataset in our context can be an image-set which contains pictures of cat and dogs clipped from animation movies.

  2. We find a dataset other than the sensitive dataset in a different but related domain. For example, we can find an image-set collected from Instagram, containing pictures of cats and dogs from the real world.

  3. we adopt domain adaptation training to train a model. In our exemplary example, domain adaptation will train a shared representation based on the two image-sets containing images of cats and dogs, i.e., image-set collected from animation movies and image-set collected from Instagram. Please note that the labels of the first image-set are removed before the training to cohere with the training process of domain adaptation. Consequently, the shared representation will not raise a violation of confidential of the image-set collected from animation movies, which is considered sensitive.

4 Evaluation

We now explore analytically the performance of DAMIA. As stated above, the intuition is that DA can obfuscate sensitive datasets with a different but related dataset, generating a shared representation that shares underlying common features with the sensitive dataset, thwarting the membership inference attack. Obviously, there is a trade-off between security and usability, due to the fact that an obfuscated dataset may not achieve the same performance as the original dataset does. Given that, we attempt to answer the following three questions. [label=question] Q1: Is DAMIA effective in countering membership inference attack?

Q2: Do all types of domain adaptation techniques have the same effects in countering membership inference attack? Q3: What are the factors that may impact the performance of DAMIA? And how could the DAMIA achieve the best performance by manipulating those factors?

The rest of this section is organized as follows: we first present our experiment setup. Afterwards, we use three standalone subsections to evaluate different aspects of DAMIA, answering the aforementioned three questions correspondingly.

4.1 Experiment Setup

All our experiments are conducted on a Ubuntu 16.04 server with a Intel(R) Xeon(R) CPU E5-2640 CPU, 4 GTX 1080 GPUs and memory with a size of 130 GB. We use PyTorch

222https://github.com/pytorch/pytorch to build our deep learning models for evaluation. The datasets involved in our experiments including () MINST () SVHN and () Office-31.

Specifically, MINST is an image dataset containing handwritten digits with an image size of . All the digits are in the range of 0 to 9 and all the images are gray-scale. MNIST contains 70,000 images totally, in which 60,000 images are used as the training set and the rest are served as the non-training set (i.e. test set). Similar to MNIST, SVHN is also an image dataset of digits of 0 to 9 with an image size of . The training dataset contains 73257 images, the non-training dataset is with a size of 26032, and the extra training dataset is with a size of 531131. Some representative samples from the two datasets are shown in Figure 2. Office-31 333https://people.eecs.berkeley.edu/ jhoffman/domainadapt/ is a dataset about objects commonly appeared in an office setting. The dataset totally consists of 4110 images from three domains — Amazon, DSLR and Webcam, each domain contains 31 categories respectively, which is designed for domain adaptation. Images in domain Amazon are collected directly from amazon.com, which are prepossessed so that there is only a target object in a blank white background. Images in domains Webcam and DSLR are shot by web cameras and DSLR (digital single-lens reflex) cameras in a real-world office. The two domains are similar to each other, and the most difference is the object’s pose and the lighting condition. The details of Office-31 is are shown in Table I and the difference among the three domains are shown in Figure 3. Please note that all the datasets are utilized as either source domain or target domain, and are split into training sets and non-training sets.

Fig. 2: Representative samples from MNIST (left) and SVHN (right).
Domains Total Amount Training Set (80%) Non-training Set (20%)
Amazon 2817 2253 564
DSLR 498 398 100
Webcam 795 636 159
TABLE I: Details of Office-31
Fig. 3: Images of bikes from 3 different domains in Office-31.

4.2 Effectiveness

To Q1, we define the effectiveness of DAMIA as the capabilities in defending membership inference attacks. We use two models with the same architecture, i.e., AlexNet [14], and adopt a few metrics to demonstrate it. The two models are: () a model trained on dataset Webcam from Office-31; () a model trained by DAMIA, in which the target domain and source domain may vary according to the specific context. During the training process, the discrepancy-based domain adaptation technique, Deep Domain Confusion [39] (DDC), is adopted for training DAMIA. The membership inference attack used in our experiment is a threshold-based membership inference attack introduced in [45, 33]. We will not provide the details of the attack due to the page limit.

The origination of this part is as follows: initially, we evaluate the effectiveness of DAMIA by using two legacy metrics, which will reflect the advantage of an attacker. In particular, the metrics introduced in our paper are also widely adopted in other efforts [22, 45], and these metrics are generalization error, prediction distributions. Further, we also introduce two novel metrics, which may also reflect the capabilities of a model in defending the membership inference attacks. These metrics are the intermediate representation and the advantage of membership inference attacks. Please refer to the corresponding paragraph for the definition of each metric.

4.2.1 Legacy Metrics of Effectiveness

Generalization Error: Generalization error is a metric to evaluate the performance of a model when a non-training dataset is involved. If the generalization error is low, a model can achieve a good performance, which may be close to the performance when the model tests on the training dataset. Therefore, an attacker may want to maximize the generalization error. For each dataset, we trained two models including one with DAMIA enabled, while the other one is idle. For the one with DAMIA enabled, we first assume the attacker may want to deploy attacks against Webcam, so that a dataset from Amazon is used in our experiment to obfuscate Webcam. We then assume the attacker may want to attack against Amazon, and similarly, the Webcam is then used to obfuscate Amazon. Figure 4 and Figure 5 show the generalization error for Webcam and Amazon respectively. It can be observed that whatever the dataset is, a model with DAMIA enabled has a lower generalization error when compared with the one without DAMIA, indicating the DAMIA is effective in defending against the membership inferences attacks.

Prediction Distributions: Prediction distribution is referred to as the distribution of the probability of being a sample from each category [22] . Basically, if the prediction distribution of a training dataset and that of the non-training dataset are close to each other, one cannot tell difference. In other words, the membership inference attack may fail in this case. The experiment procedures and dataset used are similar to the first one, and we will not go to details. Recall that each dataset in Office-31 contains different categories of images. We select and plot the prediction distributions of a few categories, including desk chair (category label “7”), mobile phone (category label “15”), ring binder (category label “25”) and speaker (category label “28”). As demonstrated in Figure 6, the figures on the left side show categories of the model with DAMIA enabled, while the ones on the left side that does not. It can be observed that the prediction distributions of the model with DAMIA are more approximate when compared with the one without. This will bring more challenges for an attacker whose goal is to deploy the membership inference attacks.

Fig. 4:

Empirical Cumulative Distribution Function (CDF) of the generalization error of models across different categories in

Webcam. Amazon is used for obfuscation.
Fig. 5: Empirical Cumulative Distribution Function (CDF) of the generalization error of models across different categories in Amazon. Webcam is used for obfuscation.
Fig. 6: Prediction distribution comparison.

4.2.2 New Metrics of Effectiveness

Intermediate Representation

: Intermediate representation reveals the way of a DL model processes its training data. Basically, a DL model will go through a feature extraction process and a classification process throughout the entire training, and the outputs of the feature extraction process are referred to as intermediate representations, which may affect the accuracy of the classification process. Given that an attacker leverage the outputs of the classification process to derive membership inference attack, intuitively, the intermediate representation may also have an association with the success rate of deploying the membership inference attack. We conduct a similar experiment to confirm our intuition, and the intermediate representations are from the fifth convolution layer (the training process goes through multiple training layers

[15]), with their dimensionalities (i.e., the number of attributes that data have) reduced to two [18]. Intermediate representations are shown in Figure 7. Samples from the same category are with the same color and the same category label, and we carefully assign all the colors to avoid the conflicts. It can be observed that, with DAMIA enabled, data of each category forms a more compact cluster, and the intermediate representations of the non-training samples are much close to the training samples. The result indicates that the way that the model trained by DAMIA does process the training data and non-training in a similar way, creating barriers for distinguishing training data from non-training data. In other words, membership inference attacks are more likely to fail.

Fig. 7: Intermediate representations of Webcam processed by the models without (left) or with (right) DAMIA enabled.

Advantage of an Adversary: We now introduce a new metric to measure the advantage of an adversary who wants to deploy a membership inference attack against a model. With insufficient advantage, the accuracy of membership inference is merely close to a random guess. Therefore, the membership inference advantage of an adversary can be defined as:

In particular, represents the accuracy of membership inference for a specific adversary, while is the probability of a random guess, which is 0.5, in that for a specific sample, an adversary without any foreknowledge may randomly output yes or no to guess whether the sample is from the training dataset. For example, when closes to zero, the membership inference attack merely a random guess. We believe the metrics can better reflect the capability when compared with the legacy ones, in that it gives a result indicating whether the attack works in a straightforward manner. Further, to demonstrate the feasibility, we adopt the metric to measure the advantages in practice and illustrate the results in Table II. As expected, with DAMIA, the advantages of attackers are significantly hindered. Please note that the training process, as well as other related information of our testing models, have been introduced before, and please refer to the previous subsection for details.

Sensitive data Amazon Webcam
w/o DAMIA DAMIA w/o DAMIA DAMIA
MIA Acc. 0.77324 0.514514926 0.68003 0.534591195
0.54648 0.029029852 0.36006 0.06918239
TABLE II: Advantages comparison on Amazon and Webcam with/without DAMIA enabled. Please note that “Acc.” is referred to “Accuracy”, and “MIA” is referred to membership inference attack.

4.3 Performance of different domain adaptation approaches

To Q2, we explore if the use of a different domain adaptation technique will affect the performance of DAMIA. To this end, we train DAMIA with all the three approaches introduced in Section 2 respectively, and evaluate the corresponding performance of each model in terms of defending against membership inference attack. As discussed before, using advantage is a simple but effective way to evaluate if the membership inference attacks are possible. Therefore, we will continue using this metric in the rest of this section.

Discrepancy-based Domain Adaptation: We evaluate the feasibility for DAMIA that is trained via discrepancy-based domain adaptation approaches. Similar to the previous experiment, DDC (deep domain confusion [39] is adopted. We then deploy membership inference attacks against MNIST, SVHN and the three datasets in Office-31. To eliminate the impact of the architecture of a DL model, we use AlexNet and ResNet-50 [10]

as the backbones of the models respectively and have them trained for 150 epochs to make sure that they are converged. The experiments are shown in

Table III to Table VI. It can be observed DAMIA works against membership inference attacks effectively despite the different architectures.

Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
MNIST SVHN 0.212566717 0.224953903 0.503727767 0.007455534
SVHN MNIST 0.76805 0.7702 0.503108333 0.006216666
TABLE III: Performance comparison on MNSIT and SVHN (with AlexNet). Please note that “Acc.” is referred to “Accuracy”, and “MIA” is referred to membership inference attack. The same below.
Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
Amazon DSLR 0.447236181 0.46 0.528492462 0.056984924
Amazon Webcam 0.501572327 0.459119497 0.534591195 0.06918239
DSLR Amazon 0.407900577 0.416666667 0.510169656 0.020339312
DSLR Webcam 0.938679245 0.93081761 0.522012579 0.044025158
Webcam Amazon 0.375055482 0.372340426 0.514514926 0.029029852
Webcam DSLR 0.929648241 0.91 0.544296482 0.088592964
TABLE IV: Performance comparison on Office-31 (with AlexNet).
Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
MNIST SVHN 0.219173594 0.227566073 0.511505038 0.023010076
SVHN MNIST 0.778966667 0.7844 0.500133333 0.000266666
TABLE V: Performance comparison on MNSIT and SVHN (with ResNet-50).
Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
Amazon DSLR 0.733668342 0.68 0.542964824 0.085929648
Amazon Webcam 0.721698113 0.761006289 0.517295597 0.034591194
DSLR Amazon 0.625832224 0.675531915 0.507515983 0.015031966
DSLR Webcam 0.962264151 0.981132075 0.504716981 0.009433962
Webcam Amazon 0.628051487 0.663120567 0.501553484 0.003106968
Webcam DSLR 0.992462312 0.99 0.551909548 0.103819096
TABLE VI: Performance comparison on Office-31 (with ResNet-50).

Adversarial-based Domain Adaptation: We evaluate the feasibility for DAMIA that is trained via adversarial-based domain adaptation approaches. Similar to the first experiment, we deploy membership inference attacks against MNIST, SVHN and the three datasets in Office-31. AlexNet and ResNet-50 [10] are severed as the backbones of the models respectively. The adversarial-based domain adaptation approach used in the experiment is ADDA (i.e., Adversarial Discriminative Domain Adaptation) [38]. It can be observed that DAMIA works against membership inference attacks effectively in Table VII. Unfortunately, the performances are not as good as we expected. For example, when Amazon is adopted to obfuscate Webcam, the test accuracy of Webcam is down to 1.2579%. Likewise, when DSLR is adopted to obfuscate Webcam, the test accuracy is only 6.918239%, even when ResNet-50 is used as the backbone. ResNet-50 has more layers when compared with AlexNet, and theoretically, it should have a better capacity in learning representations [35]. This may be attributed to the fact that when GAN is adopted, the model is often difficult to reach convergence [2], placing barriers for the model to learn the shared representation. We also find that the procedures of training DAMIA via adversarial-based domain adaptation approaches are sophisticated, in that there are four models are involved. Given its unsatisfactory performance, we argue that it is not recommended to train DAMIA via that type of approach.

Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
MNIST SVHN 0.137803 0.139943 0.5148440 0.029688
SVHN MNIST 0.735633 0.7426 0.5007183 0.0014366
TABLE VII: Performance comparison on MNSIT and SVHN (with ADDA).

Reconstruction-based Domain Adaptation: We further evaluate the feasibility of DAMIA that is trained via reconstruction-based domain adaptation approaches. We deploy membership inference attacks against MNIST, SVHN and the three datasets in Office-31. We choose DRCN (i.e., Deep Reconstruction Classification Networks) [7] to conduct our experiments. For MNIST and SVHN, we select a vallina CNN with three convolution layers and two fully connected layers as the backbone of the model. Again, we use AlexNet as the backbone for Office-31. Experiment results are shown in Table VIII and Table IX. Similarly, the advantage for an attacker is approaching zero, indicating that DAMIA work against membership inference attacks effectively.

Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
MNIST SVHN 0.162838 0.191726 0.525682 0.051364
SVHN MNIST 0.682617 0.696000 0.500008 0.000016
TABLE VIII: Performance comparison on MNSIT and SVHN (with DRCN).
Adapation
Direction (DAMIA)
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
Amazon DSLR 0.412060302 0.55 0.568492462 0.136984924
Amazon Webcam 0.375786164 0.459119497 0.550314465 0.10062893
DSLR Amazon 0.220594763 0.242907801 0.526324239 0.052648478
DSLR Webcam 0.798742138 0.836477987 0.58490566 0.16981132
Webcam Amazon 0.253883711 0.290780142 0.517025762 0.034051524
Webcam DSLR 0.891959799 0.9 0.600452261 0.200904522
TABLE IX: Performance comparison on Office-31 (with DRCN).

4.4 Factors that Affects the Usability

In the previous section, our experiment shows that DAMIA work against membership inference attacks effectively despite the approaches. However, some of the approaches may not have a good test accuracy, which hurts the usability of the original dataset. Therefore, in this section, we want to explore the factors that may affect the usability of DAMIA, which is the answer to Q3. Recall that we are using datasets in the source domain to obfuscate dataset in the target domain, and therefore, we can only manipulate dataset in the source domain. Further, we select a few factors including size, diversity and similarity that may have impacts on the usability, and adjust the dataset using those factors accordingly to see what the impacts are. Assume that source domain consists of datasets which are denoted as , where is referred to each dataset of the source domain. Particularly, we list those factors below:

  • Size. We define the size of the source domain as follows:

  • Diversity. The diversity is defined as the amount of datasets involved in the source domain, which can be denoted as:

  • Similarity. To measure the similarity between domains, we first calculate the norm of a domain by calculating the average of all the samples in , which can be regarded as a representative of the domain. Since we focus on image datasets, the representatives are essentially images. The similarity between domains is further defined as the similarity between the representatives of each domain. To this end, we use perceptual hashing [46] to generate the fingerprints (a hash value) for each representative, denoted as . By perceptual hashing, if two images are perceptually identical, the difference between their fingerprints is modest [46]. Therefore, the similarity between domains is reflected by the difference between the fingerprints of their representatives. Formally, the similarity can be defined as follows:

In the following experiments, we select Office-31 as the experiment dataset and discrepancy-based domain adaptions for DAMIA. Also, AlexNet is adopted as the backbone of the model.

Size: In our experiment, we use Amazon to obfuscate Webcam. Particularly, we want to explore how does the size of the dataset in the source domain (i.e., Amazon) affects the usability of the generated model. To this end, we gradually increase the size of each category in Amazon from 1 to 68. Recall that Amazon includes 31 categories in total, and therefore, the size of the source domain ranges from 31 to 2108. For each dataset with the specific size, we train the model for 100 epochs to minimize the impacts of errors. We then test the accuracy of the trained model. Provided that the obfuscated model can achieve a high accuracy, the usability of the model is not hindered. Moreover, changing the size of the dataset should not impair the effectiveness. Therefore, we also deploy the membership inference attacks against the trained model. Figure 8 shows the result. It can be observed that an increased size of a dataset in the source domain has negative impacts on the advantages of membership inference attacks slightly. This is reasonable since a larger dataset provides more samples for the model to perform the obfuscation. However, it can also be observed that even a dataset with a small size such as the one that has only 31 samples, also has excellent effectiveness. On the other hand, it can also be observed that a dataset with more samples has positive impacts on the usability.

Size of
Source Domain
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
31 0.316037736 0.270440252 0.537735849 0.075471698
93 0.555031447 0.622641509 0.516509434 0.033018868
186 0.610062893 0.616352201 0.533805031 0.067610062
310 0.682389937 0.685534591 0.52908805 0.0581761
465 0.694968553 0.660377358 0.528301887 0.056603774
620 0.699685535 0.716981132 0.511006289 0.022012578
930 0.724842767 0.72327044 0.525157233 0.050314466
1302 0.746855346 0.710691824 0.521226415 0.04245283
1736 0.740566038 0.748427673 0.517295597 0.034591194
2108 0.732704403 0.742138365 0.519654088 0.039308176
TABLE X: Different sizes of dataset v.s. accuracy
Fig. 8: Test accuracy v.s. membership inference accuracy under different sizes of the dataset in source domain.

Diversity: We want to explore how does the diversity of the dataset in the source domain affects the usability of the model trained by DAMIA. Therefore, we modify the diversity of datasets in the source domain, and observe if the usability changes. Recall that there are three domains in Office-31 including Amazon, DSLR and Webcam. We modify the diversity the datasets by “mixing” two of them together. For example, Mix(Amazon DSLR) is referred to a new dataset that contains all the samples from the dataset Amazon and all samples from the dataset DSLR. Next, we use the mixed dataset to obfuscate the remaining one that is not involved in the mixing process. Similarly, all the models involved are trained for 100 epochs to minimize errors. We test the usability afterwards and deploy membership inference attacks against those models. Results of diversity of 2 are illustrated in Table XI, and we compare the test accuracy under different diversities (i.e., diversity equals 1 444For source domains consisting of 1 dataset, their diversity is: , such a source domain may be . and diversity equals 2 555For source domains consisting of 2 datasets, their diversity is: , such a source domain may be .) in Table XII for better illustration. From the comparison, we see the diversity has a limited contribution to the usability. When diversity increases, the test accuracy does not always proportionally ascend. For example, the test accuracy of the model using DSLR to obfuscate Webcam is higher than the one using Mix(Amazon DSLR) for obfuscation. Likewise, as shown in Table XIII, the comparison of the advantages of membership inference attacks with different diversities indicates that a larger diversity impairs the effectiveness of DAMIA. Therefore, DAMIA does not have advantages to be adopted to a dataset with a large diversity.

Adaptation
Direction
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
Mix(DSLR Webcam) Amazon 0.634265424 0.640070922 0.501714027 0.003428054
Mix(Amazon Webcam) DSLR 0.854271357 0.83 0.549346734 0.098693468
Mix(Amazon DSLR) Webcam 0.8525 0.8 0.56625 0.1325
TABLE XI: Test accuracy on mixed source domains
Sensitive Dataset Dataset for Obfuscation
Amazon DSLR Webcam Mix(Amazon DSLR) Mix(Amazon Webcam) Mix(DSLR Webcam)
Amazon - 0.407900577 0.375055482 - - 0.64007092
DSLR 0.46 - 0.929648241 - 0.83 -
Webcam 0.459119497 0.938679245 - 0.80 - -
TABLE XII: Diversity of dataset in source domain v.s. accuracy. Please note that the diversity of “Mix” is set to 2.
Sensitive Dataset Dataset for Obfuscation
Amazon DSLR Webcam Mix(Amazon DSLR) Mix(Amazon Webcam) Mix(DSLR Webcam)
Amazon - 0.015031966 0.003106968 - - 0.003428054
DSLR 0.085929648 - 0.103819096 - 0.098693468 -
Webcam 0.034591194 0.009433962 - 0.1325 - -
TABLE XIII: Diversity vs advantages. Please note that the diversity of “Mix” is set to 2.
Fig. 9: Images of a desk lamp from Webcam and its perturbed versions.

Similarity: We then explore that how does the similarity between the source and target domains affect the usability of DAMIA. To this end, we create multiple similar datasets to obfuscate Webcam. Instead of collecting similar samples, we generate similar samples by modifying original samples from Webcam slightly. For example, the modification can be realized through the adjustment of the luminance (brightness) and tools for that goal [11] are available online 666https://github.com/hendrycks/robustness. Particularly, brightness, contrast, Gaussian noise and motion blur are involved in our experiment to modify the original image as shown in Figure 9. Similar to the previous experiments, all the models are trained for 100 epochs, and membership inference attacks are deployed on those models. Table XIV shows that the test accuracies of models are specifically enhanced with an excellent effectiveness achieved.

Adaptation
Direction
Similarity
Train Acc.
on Target
Test Acc.
on Target
MIA Acc.
on Target
on Target
Brightness Original 0.843750 0.993710692 1.0 0.510220126 0.020440252
Contrast Original 0.843750 0.993710692 0.993710692 0.512578616 0.025157232
Gaussian Noise Original 0.812500 0.988993711 0.974842767 0.522012579 0.044025158
Motion Blur Original 0.812500 0.995283019 0.993710692 0.512578616 0.025157232
TABLE XIV: Similarity v.s. Test accuracy. The Original stands for the Webcam from Office-31. Please note that in this case, the similarity between the similar source and the target is above 0.8, while in the case where the sources are Amazon and DSLR, the similarities are 0.593750 and 0.781250.

5 Related Works

Defenses against Membership Inference Attacks: Defenses against membership inference can be categorized into three groups: (i) regularization-based defenses; (ii) differential-privacy-based defenses; (iii) adversarial-attack-based defenses. Regularization-based defenses directly adopt regularization techniques to build defenses. Shokri et al. [32] and Salem et al. [30] show that potential techniques including regularization [23] and Dropout [34] may prevent overfitting issues so as to counter the membership inference attacks. However, our defense is stemmed from the DA techniques, which are not designed to address the overfitting issues. Salem et al. [30] use another regularization technique called ensemble learning to build their defense. Their defense requires extra storage to maintain ML (i.e. Machine Learning) models. Our defense does not have such a requirement. Nasr et al. [22] introduce a new regularization term and propose an adversarial training process termed min-max game to optimized the regularization terms so as to defend against the membership inference attacks. However, their defense is time-consuming since the adversarial training process is involved. Adversarial-attack-based defenses shield victim models by adversarial attacks. Jia et al. [13] propose MemGuard, where adversarial examples [8] are introduced to obfuscate samples and confuse the attackers. However, MemGuard is subject to sophisticated operations to turn the outputs of victim models into adversarial examples. When compared with MemGuard, our defense can achieve the same goal while requiring fewer efforts. Differential-privacy based defenses have draw defenders’ attention [28, 37, 43, 12], where the goal is achieved via adding noises to the loss function or gradients of the model. However, the method also degrades the usability of the model and slows the training process. DAMIA does not add noises to the loss function, and the efficiency is not hindered while training when compared with their scheme.

Transfer Learning in Privacy-Preserving Machine Learning. Papernot et al. [26] apply transfer learning to avoid model information leakage. Triastcyn and Faltings [37] adopt GAN [9] to address a similar issue as the work [26]. Particularly, in [37], the authors generate the artificial training dataset based on a private dataset and use the generated dataset to train a model. However, those efforts do not have a focus, stating what type of attack their defense may counter. Our DAMIA focuses on countering membership inference attacks. Shokri et al. [32], Song et al. [33] shows that the temperature scaling technique, which is widely adopted in the area of domain adaptation, has the potential to defend membership inference attacks. In our defense, we use the other domain adaptation techniques rather than the temperature scaling technique to defend against the attacks.

6 Conclusion

In this paper, we propose DAMIA, which leverages domain adaptation as a defense to prevent membership inference attacks. DAMIA effectively counters the membership inference attacks while the usability is not hindered. Also, we show that with proper factors enabled, the performance of the model can be boosted. The next stage of our work is to explore a mechanism that can automatically select or generate a related dataset of the given sensitive dataset so as to free the manual load.

Acknowledgements

Weiqi Luo was partially supported by National Natural Science Foundation of China (Grant No. 61877029), Guangdong Provincial Special Funds for Applied Technology Research and Development and Transformation of Important Scientific and Technological Achieve (Grant Nos.2017B010124002). Jian Weng was partially supported by National Key R&D Plan of China (Grant Nos. 2017YFB0802203, 2018YFB1003701), National Natural Science Foundation of China (Grant Nos. 61825203, U1736203, 61732021), Guangdong Provincial Special Funds for Applied Technology Research and Development and Transformation of Important Scientific and Technological Achieve (Grant Nos. 2016B010124009 and 2017B010124002). Guoqiang Zeng was partially supported by National Natural Science Foundation of China (Grant Nos. 11871248, U1636209). Yue Zhang was partially supported by National Natural Science Foundation of China (Grant Nos. 61877029). Hongwei Huang was partially supported by National Natural Science Foundation of China (Grant Nos. 61872153). Anjia Yang was partially supported by National Natural Science Foundation of China (Grant Nos. 61702222).

References

  • [1] H. Ajakan, P. Germain, H. Larochelle, F. Laviolette, and M. Marchand (2014)

    Domain-adversarial neural networks

    .
    arXiv preprint arXiv:1412.4446. Cited by: §2.2, §3.2.
  • [2] S. A. Barnett (2018) Convergence problems with generative adversarial networks (gans). arXiv preprint arXiv:1806.11382. Cited by: §4.3.
  • [3] D. Chen, N. Yu, Y. Zhang, and M. Fritz (2019) Gan-leaks: a taxonomy of membership inference attacks against gans. arXiv preprint arXiv:1909.03935. Cited by: §1, §1.
  • [4] M. Fredrikson, S. Jha, and T. Ristenpart (2015) Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1322–1333. Cited by: §1, §2.1.
  • [5] Y. Ganin, E. Ustinova, H. Ajakan, P. Germain, H. Larochelle, F. Laviolette, M. Marchand, and V. Lempitsky (2017) Domain-adversarial training of neural networks. In

    Domain Adaptation in Computer Vision Applications

    ,
    pp. 189–209. Cited by: §2.2, §3.2.
  • [6] K. Ganju, Q. Wang, W. Yang, C. A. Gunter, and N. Borisov (2018) Property inference attacks on fully connected neural networks using permutation invariant representations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 619–633. Cited by: §1.
  • [7] M. Ghifary, W. B. Kleijn, M. Zhang, D. Balduzzi, and W. Li (2016) Deep reconstruction-classification networks for unsupervised domain adaptation. In European Conference on Computer Vision, pp. 597–613. Cited by: §2.2, §4.3.
  • [8] I. J. Goodfellow, J. Shlens, and C. Szegedy (2014) Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572. Cited by: §1, §5.
  • [9] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio (2014) Generative adversarial nets. In Advances in neural information processing systems, pp. 2672–2680. Cited by: §5.
  • [10] K. He, X. Zhang, S. Ren, and J. Sun (2016) Deep residual learning for image recognition. In

    Proceedings of the IEEE conference on computer vision and pattern recognition

    ,
    pp. 770–778. Cited by: §4.3, §4.3.
  • [11] D. Hendrycks and T. Dietterich (2019) Benchmarking neural network robustness to common corruptions and perturbations. arXiv preprint arXiv:1903.12261. Cited by: §4.4.
  • [12] B. Jayaraman and D. Evans (2019) Evaluating differentially private machine learning in practice. In 28th USENIX Security Symposium (USENIX Security 19), pp. 1895–1912. Cited by: §1, §1, §5.
  • [13] J. Jia, A. Salem, M. Backes, Y. Zhang, and N. Z. Gong (2019) MemGuard: defending against black-box membership inference attacks via adversarial examples. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 259–274. Cited by: §1, §5.
  • [14] A. Krizhevsky, I. Sutskever, and G. E. Hinton (2012) Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems, pp. 1097–1105. Cited by: §4.2.
  • [15] Y. LeCun, Y. Bengio, and G. Hinton (2015) Deep learning. nature 521 (7553), pp. 436–444. Cited by: §4.2.2.
  • [16] W. Li, R. Zhao, T. Xiao, and X. Wang (2014) Deepreid: deep filter pairing neural network for person re-identification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 152–159. Cited by: §1.
  • [17] G. Liu, C. Wang, K. Peng, H. Huang, Y. Li, and W. Cheng (2019) Socinf: membership inference attacks on social media health data with machine learning. IEEE Transactions on Computational Social Systems 6 (5), pp. 907–921. Cited by: §1.
  • [18] L. v. d. Maaten and G. Hinton (2008) Visualizing data using t-sne. Journal of machine learning research 9 (Nov), pp. 2579–2605. Cited by: §4.2.2.
  • [19] V. Mnih, K. Kavukcuoglu, D. Silver, A. A. Rusu, J. Veness, M. G. Bellemare, A. Graves, M. Riedmiller, A. K. Fidjeland, G. Ostrovski, et al. (2015)

    Human-level control through deep reinforcement learning

    .
    Nature 518 (7540), pp. 529. Cited by: §1.
  • [20] S. P. Mohanty, D. P. Hughes, and M. Salathé (2016) Using deep learning for image-based plant disease detection. Frontiers in plant science 7, pp. 1419. Cited by: §1.
  • [21] M. Nasr, R. Shokri, and A. Houmansadr (2018) Comprehensive privacy analysis of deep learning: stand-alone and federated learning under passive and active white-box inference attacks. arXiv preprint arXiv:1812.00910. Cited by: §2.1.
  • [22] M. Nasr, R. Shokri, and A. Houmansadr (2018) Machine learning with membership privacy using adversarial regularization. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 634–646. Cited by: §4.2.1, §4.2, §5.
  • [23] A. Y. Ng (2004) Feature selection, l 1 vs. l 2 regularization, and rotational invariance. In Proceedings of the twenty-first international conference on Machine learning, pp. 78. Cited by: §5.
  • [24] A. v. d. Oord, S. Dieleman, H. Zen, K. Simonyan, O. Vinyals, A. Graves, N. Kalchbrenner, A. Senior, and K. Kavukcuoglu (2016) Wavenet: a generative model for raw audio. arXiv preprint arXiv:1609.03499. Cited by: §1.
  • [25] S. J. Pan and Q. Yang (2009) A survey on transfer learning. IEEE Transactions on knowledge and data engineering 22 (10), pp. 1345–1359. Cited by: §2.2.
  • [26] N. Papernot, M. Abadi, U. Erlingsson, I. Goodfellow, and K. Talwar (2016) Semi-supervised knowledge transfer for deep learning from private training data. arXiv preprint arXiv:1610.05755. Cited by: §5.
  • [27] O. M. Parkhi, A. Vedaldi, A. Zisserman, et al. (2015)

    Deep face recognition.

    .
    In bmvc, Vol. 1, pp. 6. Cited by: §1.
  • [28] A. Pyrgelis, C. Troncoso, and E. De Cristofaro (2017) Knock knock, who’s there? membership inference on aggregate location data. arXiv preprint arXiv:1708.06145. Cited by: §1, §1, §1, §1, §5.
  • [29] A. Salem, A. Bhattacharya, M. Backes, M. Fritz, and Y. Zhang (2019) Updates-leak: data set inference and reconstruction attacks in online learning. arXiv preprint arXiv:1904.01067. Cited by: §1.
  • [30] A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes (2018) Ml-leaks: model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246. Cited by: §1, §2.1, item 2, §5.
  • [31] R. Shokri, M. Strobel, and Y. Zick (2019) Privacy risks of explaining machine learning models. arXiv preprint arXiv:1907.00164. Cited by: §2.1.
  • [32] R. Shokri, M. Stronati, C. Song, and V. Shmatikov (2017) Membership inference attacks against machine learning models. In 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18. Cited by: §1, item 2, §5, §5.
  • [33] L. Song, R. Shokri, and P. Mittal (2019) Privacy risks of securing machine learning models against adversarial examples. arXiv preprint arXiv:1905.10291. Cited by: §4.2, §5.
  • [34] N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov (2014) Dropout: a simple way to prevent neural networks from overfitting. The journal of machine learning research 15 (1), pp. 1929–1958. Cited by: §5.
  • [35] B. Sun and K. Saenko (2016) Deep coral: correlation alignment for deep domain adaptation. In European Conference on Computer Vision, pp. 443–450. Cited by: §4.3.
  • [36] Technavio (2020) Deep learning market by type and geography - forecast and analysis 2020-2024. Technavio. Cited by: §1.
  • [37] A. Triastcyn and B. Faltings (2018) Generating artificial data for private deep learning. arXiv preprint arXiv:1803.03148. Cited by: §5, §5.
  • [38] E. Tzeng, J. Hoffman, K. Saenko, and T. Darrell (2017) Adversarial discriminative domain adaptation. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 7167–7176. Cited by: §2.2, §3.2, §4.3.
  • [39] E. Tzeng, J. Hoffman, N. Zhang, K. Saenko, and T. Darrell (2014) Deep domain confusion: maximizing for domain invariance. arXiv preprint arXiv:1412.3474. Cited by: §2.2, §4.2, §4.3.
  • [40] P. Vincent, H. Larochelle, I. Lajoie, Y. Bengio, and P. Manzagol (2010)

    Stacked denoising autoencoders: learning useful representations in a deep network with a local denoising criterion

    .
    Journal of machine learning research 11 (Dec), pp. 3371–3408. Cited by: §2.2.
  • [41] P. Voigt and A. Von dem Bussche (2017) The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing. Cited by: §1.
  • [42] M. Wang and W. Deng (2018) Deep visual domain adaptation: a survey. Neurocomputing 312, pp. 135–153. Cited by: §2.2.
  • [43] C. Xu, J. Ren, D. Zhang, Y. Zhang, Z. Qin, and K. Ren (2019) GANobfuscator: mitigating information leakage under gan via differential privacy. IEEE Transactions on Information Forensics and Security 14 (9), pp. 2358–2371. Cited by: §5.
  • [44] Z. Yang, J. Zhang, E. Chang, and Z. Liang (2019) Neural network inversion in adversarial setting via background knowledge alignment. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 225–240. Cited by: §2.1.
  • [45] S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha (2018) Privacy risk in machine learning: analyzing the connection to overfitting. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 268–282. Cited by: §2.1, item 2, §4.2, §4.2.
  • [46] C. Zauner (2010) Implementation and benchmarking of perceptual image hash functions. na. Cited by: 3rd item.