Property Inference as a Regression Problem: Attacks and Defense

Joshua Stock; Lucas Lange; Erhard Rahm; Hannes Federrath

doi:10.5220/0012863800003767

Property Inference as a Regression Problem: Attacks and Defense

Joshua Stock, Lucas Lange, Erhard Rahm, Hannes Federrath

2024

Abstract

In contrast to privacy attacks focussing on individuals in a training dataset (e.g., membership inference), Property Inference Attacks (PIAs) are aimed at extracting population-level properties from trained Machine Learning (ML) models. These sensitive properties are often based on ratios, such as the ratio of male to female records in a dataset. If a company has trained an ML model on customer data, a PIA could for example reveal the demographics of their customer base to a competitor, compromising a potential trade secret. For ratio-based properties, inferring over a continuous range using regression is more natural than classification. We therefore extend previous white-box and black-box attacks by modelling property inference as a regression problem. For the black-box attack we further reduce prior assumptions by using an arbitrary attack dataset, independent from a target model’s training data. We conduct experiments on three datasets for both white-box and black-box scenarios, indicating promising adversary performances in each scenario with a test R² between 0.6 and 0.86. We then present a new defense mechanism based on adversarial training that successfully inhibits our black-box attacks. This mechanism proves to be effective in reducing the adversary’s R² from 0.63 to 0.07 and induces practically no utility loss, with the accuracy of target models dropping by no more than 0.2 percentage points.

Download

Paper Citation

in Harvard Style

Stock J., Lange L., Rahm E. and Federrath H. (2024). Property Inference as a Regression Problem: Attacks and Defense. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 876-885. DOI: 10.5220/0012863800003767

in Bibtex Style

@conference{secrypt24,
author={Joshua Stock and Lucas Lange and Erhard Rahm and Hannes Federrath},
title={Property Inference as a Regression Problem: Attacks and Defense},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={876-885},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012863800003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - Property Inference as a Regression Problem: Attacks and Defense
SN - 978-989-758-709-2
AU - Stock J.
AU - Lange L.
AU - Rahm E.
AU - Federrath H.
PY - 2024
SP - 876
EP - 885
DO - 10.5220/0012863800003767
PB - SciTePress