Sheng Liu,Zihan Wang,Yuxiao Chen,Qi Lei

2024-06-27

Abstract:Reconstruction attacks and defenses are essential in understanding the data leakage problem in machine learning. However, prior work has centered around empirical observations of gradient inversion attacks, lacks theoretical justifications, and cannot disentangle the usefulness of defending methods from the computational limitation of attacking methods. In this work, we propose to view the problem as an inverse problem, enabling us to theoretically, quantitatively, and systematically evaluate the data reconstruction problem. On various defense methods, we derived the algorithmic upper bound and the matching (in feature dimension and model width) information-theoretical lower bound on the reconstruction error for two-layer neural networks. To complement the theoretical results and investigate the utility-privacy trade-off, we defined a natural evaluation metric of the defense methods with similar utility loss among the strongest attacks. We further propose a strong reconstruction attack that helps update some previous understanding of the strength of defense methods under our proposed evaluation metric.

Cryptography and Security,Machine Learning

Alexander Ziller,Anneliese Riess,Kristian Schwethelm,Tamara T. Mueller,Daniel Rueckert,Georgios Kaissis

2024-02-20

Abstract:Reconstruction attacks on machine learning (ML) models pose a strong risk of leakage of sensitive data. In specific contexts, an adversary can (almost) perfectly reconstruct training data samples from a trained model using the model's gradients. When training ML models with differential privacy (DP), formal upper bounds on the success of such reconstruction attacks can be provided. So far, these bounds have been formulated under worst-case assumptions that might not hold high realistic practicality. In this work, we provide formal upper bounds on reconstruction success under realistic adversarial settings against ML models trained with DP and support these bounds with empirical results. With this, we show that in realistic scenarios, (a) the expected reconstruction success can be bounded appropriately in different contexts and by different metrics, which (b) allows for a more educated choice of a privacy parameter.

Machine Learning,Cryptography and Security

Xudong Pan,Mi Zhang,Yifan Yan,Jiaming Zhu,Min Yang

DOI: https://doi.org/10.48550/arxiv.2010.13356

2020-01-01

Abstract:Among existing privacy attacks on the gradient of neural networks, data reconstruction attack, which reverse engineers the training batch from the gradient, poses a severe threat on the private training data. Despite its empirical success on large architectures and small training batches, unstable reconstruction accuracy is also observed when a smaller architecture or a larger batch is under attack. Due to the weak interpretability of existing learning-based attacks, there is little known on why, when and how data reconstruction attack is feasible. In our work, we perform the first analytic study on the security boundary of data reconstruction from gradient via a microcosmic view on neural networks with rectified linear units (ReLUs), the most popular activation function in practice. For the first time, we characterize the insecure/secure boundary of data reconstruction attack in terms of the neuron exclusivity state of a training batch, indexed by the number of Exclusively Activated Neurons (ExANs, i.e., a ReLU activated by only one sample in a batch). Intuitively, we show a training batch with more ExANs are more vulnerable to data reconstruction attack and vice versa. On the one hand, we construct a novel deterministic attack algorithm which substantially outperforms previous attacks for reconstructing training batches lying in the insecure boundary of a neural network. Meanwhile, for training batches lying in the secure boundary, we prove the impossibility of unique reconstruction, based on which an exclusivity reduction strategy is devised to enlarge the secure boundary for mitigation purposes.

Zifan Wang,Binghui Zhang,Meng Pang,Yuan Hong,Binghui Wang

2024-08-22

Abstract:Federated learning (FL) is an emerging collaborative learning paradigm that aims to protect data privacy. Unfortunately, recent works show FL algorithms are vulnerable to the serious data reconstruction attacks. However, existing works lack a theoretical foundation on to what extent the devices' data can be reconstructed and the effectiveness of these attacks cannot be compared fairly due to their unstable performance. To address this deficiency, we propose a theoretical framework to understand data reconstruction attacks to FL. Our framework involves bounding the data reconstruction error and an attack's error bound reflects its inherent attack effectiveness. Under the framework, we can theoretically compare the effectiveness of existing attacks. For instance, our results on multiple datasets validate that the iDLG attack inherently outperforms the DLG attack.

Cryptography and Security,Artificial Intelligence

Ran Elbaz,Gilad Yehudai,Meirav Galun,Haggai Maron

2024-11-25

Abstract:Reconstructing training data from trained neural networks is an active area of research with significant implications for privacy and explainability. Recent advances have demonstrated the feasibility of this process for several data types. However, reconstructing data from group-invariant neural networks poses distinct challenges that remain largely unexplored. This paper addresses this gap by first formulating the problem and discussing some of its basic properties. We then provide an experimental evaluation demonstrating that conventional reconstruction techniques are inadequate in this scenario. Specifically, we observe that the resulting data reconstructions gravitate toward symmetric inputs on which the group acts trivially, leading to poor-quality results. Finally, we propose two novel methods aiming to improve reconstruction in this setup and present promising preliminary experimental results. Our work sheds light on the complexities of reconstructing data from group invariant neural networks and offers potential avenues for future research in this domain.

Machine Learning

Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

Martin Bertran,Shuai Tang,Michael Kearns,Jamie Morgenstern,Aaron Roth,Zhiwei Steven Wu

2024-05-31

Abstract:Machine unlearning is motivated by desire for data autonomy: a person can request to have their data's influence removed from deployed models, and those models should be updated as if they were retrained without the person's data. We show that, counter-intuitively, these updates expose individuals to high-accuracy reconstruction attacks which allow the attacker to recover their data in its entirety, even when the original models are so simple that privacy risk might not otherwise have been a concern. We show how to mount a near-perfect attack on the deleted data point from linear regression models. We then generalize our attack to other loss functions and architectures, and empirically demonstrate the effectiveness of our attacks across a wide range of datasets (capturing both tabular and image data). Our work highlights that privacy risk is significant even for extremely simple model classes when individuals can request deletion of their data from the model.

Machine Learning,Cryptography and Security

Florine W. Dekker,Zekeriya Erkin,Mauro Conti

DOI: https://doi.org/10.56553/popets-2025-0030

2024-12-03

Abstract:Decentralised learning has recently gained traction as an alternative to federated learning in which both data and coordination are distributed. To preserve the confidentiality of users' data, decentralised learning relies on differential privacy, multi-party computation, or both. However, running multiple privacy-preserving summations in sequence may allow adversaries to perform reconstruction attacks. Current reconstruction countermeasures either cannot trivially be adapted to the distributed setting, or add excessive amounts of noise. In this work, we first show that passive honest-but-curious adversaries can infer other users' private data after several privacy-preserving summations. For example, in subgraphs with 18 users, we show that only three passive honest-but-curious adversaries succeed at reconstructing private data 11.0% of the time, requiring an average of 8.8 summations per adversary. The success rate depends only on the adversaries' direct neighbourhood, and is independent of the size of the full network. We consider weak adversaries that do not control the graph topology, cannot exploit the summation's inner workings, and do not have auxiliary knowledge; and show that these adversaries can still infer private data. We analyse how reconstruction relates to topology and propose the first topology-based decentralised defence against reconstruction attacks. We show that reconstruction requires a number of adversaries linear in the length of the network's shortest cycle. Consequently, exact attacks over privacy-preserving summations are impossible in acyclic networks. Our work is a stepping stone for a formal theory of topology-based decentralised reconstruction defences. Such a theory would generalise our countermeasure beyond summation, define confidentiality in terms of entropy, and describe the interactions with (topology-aware) differential privacy.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Discrete Mathematics,Machine Learning

Pierre Stock,Igor Shilov,Ilya Mironov,Alexandre Sablayrolles

DOI: https://doi.org/10.48550/arXiv.2202.07623

2022-02-16

Abstract:Reconstruction attacks allow an adversary to regenerate data samples of the training set using access to only a trained model. It has been recently shown that simple heuristics can reconstruct data samples from language models, making this threat scenario an important aspect of model release. Differential privacy is a known solution to such attacks, but is often used with a relatively large privacy budget (epsilon > 8) which does not translate to meaningful guarantees. In this paper we show that, for a same mechanism, we can derive privacy guarantees for reconstruction attacks that are better than the traditional ones from the literature. In particular, we show that larger privacy budgets do not protect against membership inference, but can still protect extraction of rare secrets. We show experimentally that our guarantees hold against various language models, including GPT-2 finetuned on Wikitext-103.

Machine Learning,Artificial Intelligence,Cryptography and Security

Noel Loo,Ramin Hasani,Mathias Lechner,Alexander Amini,Daniela Rus

2023-11-10

Abstract:Modern deep learning requires large volumes of data, which could contain sensitive or private information that cannot be leaked. Recent work has shown for homogeneous neural networks a large portion of this training data could be reconstructed with only access to the trained network parameters. While the attack was shown to work empirically, there exists little formal understanding of its effective regime which datapoints are susceptible to reconstruction. In this work, we first build a stronger version of the dataset reconstruction attack and show how it can provably recover the \emph{entire training set} in the infinite width regime. We then empirically study the characteristics of this attack on two-layer networks and reveal that its success heavily depends on deviations from the frozen infinite-width Neural Tangent Kernel limit. Next, we study the nature of easily-reconstructed images. We show that both theoretically and empirically, reconstructed images tend to "outliers" in the dataset, and that these reconstruction attacks can be used for \textit{dataset distillation}, that is, we can retrain on reconstructed images and obtain high predictive accuracy.

Machine Learning,Artificial Intelligence,Neural and Evolutionary Computing

Georgios Kaissis,Jamie Hayes,Alexander Ziller,Daniel Rueckert

2023-07-08

Abstract:We explore Reconstruction Robustness (ReRo), which was recently proposed as an upper bound on the success of data reconstruction attacks against machine learning models. Previous research has demonstrated that differential privacy (DP) mechanisms also provide ReRo, but so far, only asymptotic Monte Carlo estimates of a tight ReRo bound have been shown. Directly computable ReRo bounds for general DP mechanisms are thus desirable. In this work, we establish a connection between hypothesis testing DP and ReRo and derive closed-form, analytic or numerical ReRo bounds for the Laplace and Gaussian mechanisms and their subsampled variants.

Cryptography and Security,Artificial Intelligence

Adel Elmahdy,Ahmed Salem

2023-06-24

Abstract:Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more secure. In this work, we propose a new targeted data reconstruction attack called the Mix And Match attack, which takes advantage of the fact that most classification models are based on LLM. The Mix And Match attack uses the base model of the target model to generate candidate tokens and then prunes them using the classification head. We extensively demonstrate the effectiveness of the attack using both random and organic canaries. This work highlights the importance of considering the privacy risks associated with data reconstruction attacks in classification models and offers insights into possible leakages.

Computation and Language,Cryptography and Security,Machine Learning

Christina Runkel,Kanchana Vaishnavi Gandikota,Jonas Geiping,Carola-Bibiane Schönlieb,Michael Moeller

2024-12-12

Abstract:Being able to reconstruct training data from the parameters of a neural network is a major privacy concern. Previous works have shown that reconstructing training data, under certain circumstances, is possible. In this work, we analyse such reconstructions empirically and propose a new formulation of the reconstruction as a solution to a bilevel optimisation problem. We demonstrate that our formulation as well as previous approaches highly depend on the initialisation of the training images $x$ to reconstruct. In particular, we show that a random initialisation of $x$ can lead to reconstructions that resemble valid training samples while not being part of the actual training dataset. Thus, our experiments on affine and one-hidden layer networks suggest that when reconstructing natural images, yet an adversary cannot identify whether reconstructed images have indeed been part of the set of training samples.

Machine Learning,Cryptography and Security

Jamie Hayes,Saeed Mahloujifar,Borja Balle

DOI: https://doi.org/10.48550/arXiv.2302.07225

2023-10-30

Abstract:Differentially private training offers a protection which is usually interpreted as a guarantee against membership inference attacks. By proxy, this guarantee extends to other threats like reconstruction attacks attempting to extract complete training examples. Recent works provide evidence that if one does not need to protect against membership attacks but instead only wants to protect against training data reconstruction, then utility of private models can be improved because less noise is required to protect against these more ambitious attacks. We investigate this further in the context of DP-SGD, a standard algorithm for private deep learning, and provide an upper bound on the success of any reconstruction attack against DP-SGD together with an attack that empirically matches the predictions of our bound. Together, these two results open the door to fine-grained investigations on how to set the privacy parameters of DP-SGD in practice to protect against reconstruction attacks. Finally, we use our methods to demonstrate that different settings of the DP-SGD parameters leading to the same DP guarantees can result in significantly different success rates for reconstruction, indicating that the DP guarantee alone might not be a good proxy for controlling the protection against reconstruction attacks.

Cryptography and Security,Machine Learning

Qi Tan,Qi Li,Yi Zhao,Zhuotao Liu,Xiaobing Guo,Ke Xu

2024-03-03

Abstract:Federated Learning (FL) trains a black-box and high-dimensional model among different clients by exchanging parameters instead of direct data sharing, which mitigates the privacy leak incurred by machine learning. However, FL still suffers from membership inference attacks (MIA) or data reconstruction attacks (DRA). In particular, an attacker can extract the information from local datasets by constructing DRA, which cannot be effectively throttled by existing techniques, e.g., Differential Privacy (DP).

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Ke Wang,Chao Han,Ada Waichee Fu

DOI: https://doi.org/10.48550/arXiv.1202.3179

2012-02-15

Databases

Abstract:With the randomization approach, sensitive data items of records are randomized to protect privacy of individuals while allowing the distribution information to be reconstructed for data analysis. In this paper, we distinguish between reconstruction that has potential privacy risk, called micro reconstruction, and reconstruction that does not, called aggregate reconstruction. We show that the former could disclose sensitive information about a target individual, whereas the latter is more useful for data analysis than for privacy breaches. To limit the privacy risk of micro reconstruction, we propose a privacy definition, called (epsilon,delta)-reconstruction-privacy. Intuitively, this privacy notion requires that micro reconstruction has a large error with a large probability. The promise of this approach is that micro reconstruction is more sensitive to the number of independent trials in the randomization process than aggregate reconstruction is; therefore, reducing the number of independent trials helps achieve (epsilon,delta)-reconstruction-privacy while preserving the accuracy of aggregate reconstruction. We present an algorithm based on this idea and evaluate the effectiveness of this approach using real life data sets.

Alessandro Erba,Riccardo Taormina,Stefano Galelli,Marcello Pogliani,Michele Carminati,Stefano Zanero,Nils Ole Tippenhauer

DOI: https://doi.org/10.1145/3427228.3427660

2020-10-12

Abstract:Recently, reconstruction-based anomaly detection was proposed as an effective technique to detect attacks in dynamic industrial control networks. Unlike classical network anomaly detectors that observe the network traffic, reconstruction-based detectors operate on the measured sensor data, leveraging physical process models learned a priori. In this work, we investigate different approaches to evade prior-work reconstruction-based anomaly detectors by manipulating sensor data so that the attack is concealed. We find that replay attacks (commonly assumed to be very strong) show bad performance (i.e., increasing the number of alarms) if the attacker is constrained to manipulate less than 95% of all features in the system, as hidden correlations between the features are not replicated well. To address this, we propose two novel attacks that manipulate a subset of the sensor readings, leveraging learned physical constraints of the system. Our attacks feature two different attacker models: A white box attacker, which uses an optimization approach with a detection oracle, and a black box attacker, which uses an autoencoder to translate anomalous data into normal data. We evaluate our implementation on two different datasets from the water distribution domain, showing that the detector's Recall drops from 0.68 to 0.12 by manipulating 4 sensors out of 82 in WADI dataset. In addition, we show that our black box attacks are transferable to different detectors: They work against autoencoder-, LSTM-, and CNN-based detectors. Finally, we implement and demonstrate our attacks on a real industrial testbed to demonstrate their feasibility in real-time.

Cryptography and Security,Machine Learning

Chi Zhang,Wenbo Zhou,Kui Zhang,Jie Zhang,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1145/3674399.3674448

2024-01-01

Abstract:Adversarial attacks have been demonstrated a huge threat to the field of artificial intelligence security. To address it, adversarial training is proposed, but it requires a high computation cost and will degrade the original performance. For easy deployment, some detection solutions have emerged. However, most existing methods mainly leverage the vulnerability of adversarial perturbation against input-level processing and differences in distribution such as reconstruction or bit reduction, but it is difficult for them to detect attacks with different perturbation patterns and strengths. To address it, a very recent method, ContraNet, leverages the victim model’s prediction to guide the input reconstruction, but this will decrease the detection rate on clean images. This paper also focuses on input-reconstruction but utilizes semantic similarity comparison. Different from ContraNet, we attempt to amplify the semantic inconsistency between the adversarial example and its reconstruction format based on the intrinsic features of the target classifier. In other words, this paper proposes a reconstruction-based detection via intrinsic features of the classifier to explore adversarial examples from the perspective of the target classifier rather than the distribution in pixel space perceived by humans. Based on this, a feature extractor can be learned in unsupervised learning through a modified SimCLR to perform semantic extraction, while the reconstruction of adversarial examples has inconsistent semantic information on the pixels, thus distinguishing clean samples and AEs. Our method can effectively defend against various disturbances and different types of attacks, maintaining a high detection robustness accuracy, and a high clean detection rate.

Jérémie Dentan,Arnaud Paran,Aymen Shabou

2024-06-05

Abstract:Document understanding models are increasingly employed by companies to supplant humans in processing sensitive documents, such as invoices, tax notices, or even ID cards. However, the robustness of such models to privacy attacks remains vastly unexplored. This paper presents CDMI, the first reconstruction attack designed to extract sensitive fields from the training data of these models. We attack LayoutLM and BROS architectures, demonstrating that an adversary can perfectly reconstruct up to 4.1% of the fields of the documents used for fine-tuning, including some names, dates, and invoice amounts up to six-digit numbers. When our reconstruction attack is combined with a membership inference attack, our attack accuracy escalates to 22.5%. In addition, we introduce two new end-to-end metrics and evaluate our approach under various conditions: unimodal or bimodal data, LayoutLM or BROS backbones, four fine-tuning tasks, and two public datasets (FUNSD and SROIE). We also investigate the interplay between overfitting, predictive performance, and susceptibility to our attack. We conclude with a discussion on possible defenses against our attack and potential future research directions to construct robust document understanding models.

Cryptography and Security

Krishnamurty Muralidhar,Josep Domingo-Ferrer

DOI: https://doi.org/10.48550/arXiv.2301.10213

2023-01-25

Abstract:In recent years, it has been claimed that releasing accurate statistical information on a database is likely to allow its complete reconstruction. Differential privacy has been suggested as the appropriate methodology to prevent these attacks. These claims have recently been taken very seriously by the U.S. Census Bureau and led them to adopt differential privacy for releasing U.S. Census data. This in turn has caused consternation among users of the Census data due to the lack of accuracy of the protected outputs. It has also brought legal action against the U.S. Department of Commerce. In this paper, we trace the origins of the claim that releasing information on a database automatically makes it vulnerable to being exposed by reconstruction attacks and we show that this claim is, in fact, incorrect. We also show that reconstruction can be averted by properly using traditional statistical disclosure control (SDC) techniques. We further show that the geographic level at which exact counts are released is even more relevant to protection than the actual SDC method employed. Finally, we caution against confusing reconstruction and reidentification: using the quality of reconstruction as a metric of reidentification results in exaggerated reidentification risk figures.

Cryptography and Security,Databases