Xueluan Gong,Yanjiao Chen,Qian Wang,Meng Wang,Shuyang Li

DOI: https://doi.org/10.1109/MCOM.004.2100867

IF: 9.03

2022-01-01

IEEE Communications Magazine

Abstract:Machine learning models are established with a variety of data collected from individual users who are concerned about their privacy. Various cloud service providers (e.g., Amazon, Google, Alibaba) commercialize their models by selling them or providing limited access via APIs. However, existing studies have shown that such cloud-based models are susceptible to training data inference attacks (i.e., membership inference attacks, attribute inference attacks, and model inversion attacks) since the trained models remember information about the training data. In this article, we perform an exhaustive investigation on the current training data inference attacks against cloud-based models. According to the attack scenario, we divide the existing inference attacks into two categories: centralized and collaborative learning scenarios. We first give a comprehensive review of attacks in each category and then give a qualitative comparison of the existing attacks. Further, we quantitatively compare the performance of different attack strategies by experiments. Last but not least, we pinpoint some open issues and potential future directions that need to be investigated in this area.

Ximeng Liu,Lehui Xie,Yaopeng Wang,Jian Zou,Jinbo Xiong,Zuobin Ying,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/ACCESS.2020.3045078

IF: 3.9

2021-01-01

IEEE Access

Abstract:Deep Learning (DL) algorithms based on artificial neural networks have achieved remarkable success and are being extensively applied in a variety of application domains, ranging from image classification, automatic driving, natural language processing to medical diagnosis, credit risk assessment, intrusion detection. However, the privacy and security issues of DL have been revealed that the DL model can be stolen or reverse engineered, sensitive training data can be inferred, even a recognizable face image of the victim can be recovered. Besides, the recent works have found that the DL model is vulnerable to adversarial examples perturbed by imperceptible noised, which can lead the DL model to predict wrongly with high confidence. In this paper, we first briefly introduces the four types of attacks and privacy-preserving techniques in DL. We then review and summarize the attack and defense methods associated with DL privacy and security in recent years. To demonstrate that security threats really exist in the real world, we also reviewed the adversarial attacks under the physical condition. Finally, we discuss current challenges and open problems regarding privacy and security issues in DL.

Gopichandh Golla

2023-11-23

Abstract:These days, deep learning models have achieved great success in multiple fields, from autonomous driving to medical diagnosis. These models have expanded the abilities of artificial intelligence by offering great solutions to complex problems that were very difficult to solve earlier. In spite of their unseen success in various, it has been identified, through research conducted, that deep learning models can be subjected to various attacks that compromise model security and data privacy of the Deep Neural Network models. Deep learning models can be subjected to various attacks at different stages of their lifecycle. During the testing phase, attackers can exploit vulnerabilities through different kinds of attacks such as Model Extraction Attacks, Model Inversion attacks, and Adversarial attacks. Model Extraction Attacks are aimed at reverse-engineering a trained deep learning model, with the primary objective of revealing its architecture and parameters. Model inversion attacks aim to compromise the privacy of the data used in the Deep learning model. These attacks are done to compromise the confidentiality of the model by going through the sensitive training data from the model's predictions. By analyzing the model's responses, attackers aim to reconstruct sensitive information. In this way, the model's data privacy is compromised. Adversarial attacks, mainly employed on computer vision models, are made to corrupt models into confidently making incorrect predictions through malicious testing data. These attacks subtly alter the input data, making it look normal but misleading deep learning models to make incorrect decisions. Such attacks can happen during both the model's evaluation and training phases. Data Poisoning Attacks add harmful data to the training set, disrupting the learning process and reducing the reliability of the deep learning mode.

Cryptography and Security,Artificial Intelligence

Muhammad Tayyab,Mohsen Marjani,N.Z. Jhanjhi,Ibrahim Abaker Targio Hashem,Raja Sher Afgun Usmani,Faizan Qamar

DOI: https://doi.org/10.1016/j.cose.2023.103297

2023-05-20

Abstract:Machine Learning (ML) algorithms are used to train the machines to perform various complicated tasks that begin to modify and improve with experiences. It has become widely used for automated decisions. In particular, the applications which have a profound impact on society that rely on Deep Learning (DL) for autonomous decisions, such as Patient Health Record (PHR), Unmanned Aerial Vehicles (UAVs), etc. Such impacts have a vital concern about the potential vulnerabilities introduced by DL. Traditional attackers have powerful motives that can alter and modify DL algorithms to subvert the outcomes. In poisoning attacks, an attacker can consciously change training dataset, which is used to operate the outcomes of decision-based model. While in privacy and evasion attacks, an adversary can also misclassify new datasets to infer private information. Therefore, in this paper, we have provided a review of security and privacy issues of DL algorithms and analyzed their applications and challenges based on state-of-the-art literature. We have classified attacks, devised a taxonomy, and comprehensive analysis of defense techniques for the most common attacks such as poisoning, evasion, model extraction, and model inversion. We have also presented various privacy preserving techniques to ensure the privacy of dataset. We have proposed a secure cryptographic framework for dataset based on hash functions and Homomorphic Encryption (HE) scheme. Finally, we have provided recent research challenges and future studies concerning security and privacy issues. We believed that the highlighted limitations and weaknesses provide possible research questions and open matters for designing efficient future DL algorithms.

computer science, information systems

Muhammad Imran Tariq,Nisar Ahmed Memon,Shakeel Ahmed,Shahzadi Tayyaba,Muhammad Tahir Mushtaq,Natash Ali Mian,Muhammad Imran,Muhammad W. Ashraf

DOI: https://doi.org/10.1155/2020/6535834

2020-04-07

Mobile Information Systems

Abstract:In recent past years, Deep Learning presented an excellent performance in different areas like image recognition, pattern matching, and even in cybersecurity. The Deep Learning has numerous advantages including fast solving complex problems, huge automation, maximum application of unstructured data, ability to give high quality of results, reduction of high costs, no need for data labeling, and identification of complex interactions, but it also has limitations like opaqueness, computationally intensive, need for abundant data, and more complex algorithms. In our daily life, we used many applications that use Deep Learning models to make decisions based on predictions, and if Deep Learning models became the cause of misprediction due to internal/external malicious effects, it may create difficulties in our real life. Furthermore, the Deep Learning training models often have sensitive information of the users and those models should not be vulnerable and expose security and privacy. The algorithms of Deep Learning and machine learning are still vulnerable to different types of security threats and risks. Therefore, it is necessary to call the attention of the industry in respect of security threats and related countermeasures techniques for Deep Learning, which motivated the authors to perform a comprehensive survey of Deep Learning security and privacy security challenges and countermeasures in this paper. We also discussed the open challenges and current issues.

computer science, information systems,telecommunications

Haipeng Peng,Shuang Bao,Lixiang Li

DOI: https://doi.org/10.1109/tai.2023.3314398

2023-01-01

IEEE Transactions on Artificial Intelligence

Abstract:In recent years, deep learning (DL) models have attracted widespread concern. Due to its own characteristics, DL has been successfully applied in the fields of object detection, super-resolution reconstruction, speech recognition, natural language processing, etc., bringing high efficiency to industrial production and daily life. With the Internet of Things, 6 G and other new technologies have been proposed, leading to an exponential growth in data volume. DL models currently suffer from some security issues, such as privacy issues during data collection, defense issues during model training and deployment, etc. The sensitive data of users and special institutions that are directly used as training data of DL models may lead to information leakage and serious privacy problems. In addition, DL models have encountered many malicious attacks in the real world, such as poisoning attack, exploratory attack, adversarial attack, etc., which caused model security problems. Therefore, this paper discusses ways of ensuring the security and data privacy of DL models under diversified attack methods, and the ways of ensuring the privacy security of edge mobile devices equipped with pre-trained deep neural networks (DNNs). Alternatively, this paper analyzes the privacy security of DL models for typical deployment platforms such as server/cloud, edge mobile device and web browser, and then summarizes future research direction.

Tianyang Wang,Ziqian Bi,Yichao Zhang,Ming Liu,Weiche Hsieh,Pohsun Feng,Lawrence K.Q. Yan,Yizhu Wen,Benji Peng,Junyu Liu,Keyu Chen,Sen Zhang,Ming Li,Chuanqi Jiang,Xinyuan Song,Junjie Yang,Bowen Jing,Jintao Ren,Junhao Song,Hong-Ming Tseng,Silin Chen,Yunze Wang,Chia Xin Liang,Jiawei Xu,Xuanhe Pan,Jinlang Wang,Qian Niu

2024-12-16

Abstract:Deep learning has transformed AI applications but faces critical security challenges, including adversarial attacks, data poisoning, model theft, and privacy leakage. This survey examines these vulnerabilities, detailing their mechanisms and impact on model integrity and confidentiality. Practical implementations, including adversarial examples, label flipping, and backdoor attacks, are explored alongside defenses such as adversarial training, differential privacy, and federated learning, highlighting their strengths and limitations. Advanced methods like contrastive and self-supervised learning are presented for enhancing robustness. The survey concludes with future directions, emphasizing automated defenses, zero-trust architectures, and the security challenges of large AI models. A balanced approach to performance and security is essential for developing reliable deep learning systems.

Cryptography and Security,Machine Learning,Software Engineering

Fatemehsadat Mireshghallah,Mohammadkazem Taram,Praneeth Vepakomma,Abhishek Singh,Ramesh Raskar,Hadi Esmaeilzadeh

DOI: https://doi.org/10.48550/arXiv.2004.12254

2020-11-07

Abstract:The ever-growing advances of deep learning in many areas including vision, recommendation systems, natural language processing, etc., have led to the adoption of Deep Neural Networks (DNNs) in production systems. The availability of large datasets and high computational power are the main contributors to these advances. The datasets are usually crowdsourced and may contain sensitive information. This poses serious privacy concerns as this data can be misused or leaked through various vulnerabilities. Even if the cloud provider and the communication link is trusted, there are still threats of inference attacks where an attacker could speculate properties of the data used for training, or find the underlying model architecture and parameters. In this survey, we review the privacy concerns brought by deep learning, and the mitigating techniques introduced to tackle these issues. We also show that there is a gap in the literature regarding test-time inference privacy, and propose possible future research directions.

Machine Learning,Cryptography and Security

Joshua C. Zhao,Saurabh Bagchi,Salman Avestimehr,Kevin S. Chan,Somali Chaterji,Dimitris Dimitriadis,Jiacheng Li,Ninghui Li,Arash Nourian,Holger R. Roth

2024-05-07

Abstract:Deep learning has shown incredible potential across a vast array of tasks and accompanying this growth has been an insatiable appetite for data. However, a large amount of data needed for enabling deep learning is stored on personal devices and recent concerns on privacy have further highlighted challenges for accessing such data. As a result, federated learning (FL) has emerged as an important privacy-preserving technology enabling collaborative training of machine learning models without the need to send the raw, potentially sensitive, data to a central server. However, the fundamental premise that sending model updates to a server is privacy-preserving only holds if the updates cannot be "reverse engineered" to infer information about the private training data. It has been shown under a wide variety of settings that this premise for privacy does {\em not} hold.

Cryptography and Security,Machine Learning

Yingzhe He,Guozhu Meng,Kai Chen,Xingbo Hu,Jinwen He

DOI: https://doi.org/10.1109/tse.2020.3034721

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:Deep learning has gained tremendous success and great popularity in the past few years. However, deep learning systems are suffering several inherent weaknesses, which can threaten the security of learning models. Deep learning's wide use further magnifies the impact and consequences. To this end, lots of research has been conducted with the purpose of exhaustively identifying intrinsic weaknesses and subsequently proposing feasible mitigation. Yet few are clear about how these weaknesses are incurred and how effective these attack approaches are in assaulting deep learning. In order to unveil the security weaknesses and aid in the development of a robust deep learning system, we undertake an investigation on attacks towards deep learning, and analyze these attacks to conclude some findings in multiple views. In particular, we focus on four types of attacks associated with security threats of deep learning: model extraction attack, model inversion attack, poisoning attack and adversarial attack. For each type of attack, we construct its essential workflow as well as adversary capabilities and attack goals. Pivot metrics are devised for comparing the attack approaches, by which we perform quantitative and qualitative analyses. From the analysis, we have identified significant and indispensable factors in an attack vector, e.g., how to reduce queries to target models, what distance should be used for measuring perturbation. We shed light on 18 findings covering these approaches' merits and demerits, success probability, deployment complexity and prospects. Moreover, we discuss other potential security weaknesses and possible mitigation which can inspire relevant research in this area.

engineering, electrical & electronic,computer science, software engineering

Jiliang Zhang,Chen Li,Jing Ye,Gang Qu

DOI: https://doi.org/10.1145/3386263.3407599

2020-01-01

Abstract:With the improvement of computing power and storage level, Machine Learning (ML), especially Deep Learning (DL), has shown its capabilities beyond humans in areas such as image recognition, speech processing, and content recommendation. However, the data collected to build ML models often contains sensitive information, and models may have high commercial value. Compared with the security problem of model prediction errors caused by malicious external influences, privacy threats have not attracted widespread attention, and they have characteristics that are difficult to define and detect. This article reviews recent research progress on ML privacy. First, the privacy threats on data and models in different scenarios are described in detail. Then, typical privacy protection methods are introduced. Finally, the limitations and future development trends of ML privacy research are discussed.

Trung Ha,Tran Khanh Dang,Hieu Le,Tuan Anh Truong

DOI: https://doi.org/10.1007/s42979-020-00254-4

2020-08-06

SN Computer Science

Abstract:Nowadays, deep learning is becoming increasingly important in our daily life. The appearance of deep learning in many applications in life relates to prediction and classification such as self-driving, product recommendation, advertisements and healthcare. Therefore, if a deep learning model causes false predictions and misclassification, it can do great harm. This is basically a crucial issue in the deep learning model. In addition, deep learning models use large amounts of data in the training/learning phases, which contain sensitive information. Therefore, when deep learning models are used in real-world applications, it is required to protect the privacy information used in the model. In this article, we carry out a brief review of the threats and defenses methods on security issues for the deep learning models and the privacy of the data used in such models while maintaining their performance and accuracy. Finally, we discuss current challenges and future developments.

English Else

Yang Yu,Li Jianping,Duan Weiwei

DOI: https://doi.org/10.1109/iccwamtip56608.2022.10016548

2022-01-01

Abstract:Deep learning has made remarkable research advancements and wide-ranging applications in the domains of computer vision, multimodal, natural language processing, additionally, other areas. This has caused the academic community to pay increasingly close attention to the attack and defense technology in its training and testing phases, among which the federal deep learning has produced positive results. Federated deep learning models are prone to memorizing private and sensitive terminal participants' data, model parameters, when combined with the model's inherent vulnerability, they will result in privacy leakage, poisoning attack, model inference attack, adversarial attack. We briefly discuss the conception of federated deep learning as well as security challenges and open questions in this paper. In order to facilitate the understanding of these challenges and problems, we further propose a security system model. We also provide an overview and deduce the attack and mitigation approaches to the most sophisticated privacy-preserving and intrusion detection models. in the last two years. To tackle these challenges and enlighten further encryption techniques researches, finally, we discuss and describe current prospects and future trajectories of federated deep learning.

David Enthoven,Zaid Al-Ars

DOI: https://doi.org/10.1007/978-3-030-70604-3_8

2021-01-01

Abstract:With the increased attention and legislation for data-privacy, collaborative machine learning (ML) algorithms are being developed to ensure the protection of private data used for processing. Federated learning (FL) is the most popular of these methods, which provides privacy preservation by facilitating collaborative training of a shared model without the need to exchange any private data with a centralized server. Rather, an abstraction of the data in the form of a machine learning model update is sent. Recent studies showed that such model updates may still very well leak private information and thus a more structured risk assessment is needed. In this chapter, we analyze existing vulnerabilities of FL and subsequently perform a literature review of the possible attack methods targeting FL privacy protection capabilities. These attack methods are then categorized by a basic taxonomy. Additionally, we provide a literature study of the most recent defensive strategies and algorithms for FL aimed to overcome these attacks. These defensive strategies are categorized by their respective underlying defense principle. The chapter advocates that the application of a single defensive strategy is not enough to provide adequate protection against all available attack methods.

Shahbaz Rezaei,Xin Liu

DOI: https://doi.org/10.48550/arXiv.1912.03735

2019-12-09

Abstract:Despite the plethora of studies about security vulnerabilities and defenses of deep learning models, security aspects of deep learning methodologies, such as transfer learning, have been rarely studied. In this article, we highlight the security challenges and research opportunities of these methodologies, focusing on vulnerabilities and attacks unique to them.

Cryptography and Security,Artificial Intelligence,Machine Learning

Emiliano De Cristofaro

DOI: https://doi.org/10.48550/arXiv.2005.08679

IF: 5.414

2020-05-18

Machine Learning

Abstract:Over the past few years, providers such as Google, Microsoft, and Amazon have started to provide customers with access to software interfaces allowing them to easily embed machine learning tasks into their applications. Overall, organizations can now use Machine Learning as a Service (MLaaS) engines to outsource complex tasks, e.g., training classifiers, performing predictions, clustering, etc. They can also let others query models trained on their data. Naturally, this approach can also be used (and is often advocated) in other contexts, including government collaborations, citizen science projects, and business-to-business partnerships. However, if malicious users were able to recover data used to train these models, the resulting information leakage would create serious issues. Likewise, if the inner parameters of the model are considered proprietary information, then access to the model should not allow an adversary to learn such parameters. In this document, we set to review privacy challenges in this space, providing a systematic review of the relevant research literature, also exploring possible countermeasures. More specifically, we provide ample background information on relevant concepts around machine learning and privacy. Then, we discuss possible adversarial models and settings, cover a wide range of attacks that relate to private and/or sensitive information leakage, and review recent results attempting to defend against such attacks. Finally, we conclude with a list of open problems that require more work, including the need for better evaluations, more targeted defenses, and the study of the relation to policy and data protection efforts.

Dayin Zhang,Xiaojun Chen,Dakui Wang,Jinqiao Shi

DOI: https://doi.org/10.1109/dsc.2018.00104

2018-01-01

Abstract:In the era of big data, the amount of data that individuals and enterprises hold is increasing, and the efficiency and effectiveness of data analysis are increasingly demanding. Collaborative deep learning, as a machine learning framework that can share users' data and improve learning efficiency, has drawn more and more attention and started to be applied in practical problems. In collaborative deep learning, data sharing and interaction among multi users may lead data leakage especially when data are very sensitive to the user. Therefore, how to protect the data privacy when processing collaborative deep learning becomes an important problem. In this paper, we review the current state of art researches in this field and summarize the application of privacy-preserving technologies in two phases of collaborative deep learning. Finally we discuss the future direction and trend on this problem.

Daryna Oliynyk,Rudolf Mayer,Andreas Rauber

DOI: https://doi.org/10.1145/3595292

IF: 16.6

2023-04-29

ACM Computing Surveys

Abstract:Machine-Learning-as-a-Service (MLaaS) has become a widespread paradigm, making even the most complex Machine Learning models available for clients via e.g. a pay-per-query principle. This allows users to avoid time-consuming processes of data collection, hyperparameter tuning, and model training. However, by giving their customers access to the (predictions of their) models, MLaaS providers endanger their intellectual property such as sensitive training data, optimised hyperparameters, or learned model parameters. In some cases, adversaries can create a copy of the model with (almost) identical behaviour using the the prediction labels only. While many variants of this attack have been described, only scattered defence strategies that address isolated threats have been proposed. To arrive at a comprehensive understanding why these attacks are successful and how they could be holistically defended against, a thorough systematisation of the field of model stealing is necessary. We address this by categorising and comparing model stealing attacks, assessing their performance, and exploring corresponding defence techniques in different settings. We propose a taxonomy for attack and defence approaches and provide guidelines on how to select the right attack- or defence strategy based on the goal and available resources. Finally, we analyse which defences are rendered less effective by current attack strategies.

computer science, theory & methods

Yudong Li,Shigeng Zhang,Weiping Wang,Hong Song

DOI: https://doi.org/10.1109/OJCS.2023.3267221

2023-01-01

IEEE Open Journal of the Computer Society

Abstract:Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. In backdoor attacks, the attackers try to plant hidden backdoors into DNN models, either in the training or inference stage, to mislead the output of the model when the input contains some specified triggers without affecting the prediction of normal inputs not containing the triggers. As a rapidly developing topic, numerous works on designing various backdoor attacks and developing techniques to defend against such attacks have been proposed in recent years. However, a comprehensive and holistic overview of backdoor attacks and countermeasures is still missing. In this paper, we provide a systematic overview of the design of backdoor attacks and the defense strategies to defend against backdoor attacks, covering the latest published works. We review representative backdoor attacks and defense strategies in both the computer vision domain and other domains, discuss their pros and cons, and make comparisons among them. We outline key challenges to be addressed and potential research directions in the future.

REN Kui,MENG Quanrun,YAN Shoukun,QIN Zhan

DOI: https://doi.org/10.11959/j.issn.2096-109x.2021001

2021-01-01

Abstract:Artificial intelligence and deep learning algorithms are developing rapidly. These emerging techniques have been widely used in audio and video recognition, natural language processing and other fields. However, in recent years, researchers have found that there are many security risks in the current mainstream artificial intelligence model, and these problems will limit the development of AI. Therefore, the data security and privacy protection was studied in AI. For data and privacy leakage, the model output based and model update based problem of data leakage were studied. In the model output based problem of data leakage, the principles and research status of model extraction attack, model inversion attack and membership inference attack were discussed. In the model update based problem of data leakage, how attackers steal private data in the process of distributed training was discussed. For data and privacy protection, three kinds of defense methods, namely model structure defense, information confusion defense and query control defense were studied. In summarize, the theoretical foundations, classic algorithms of data inference attack techniques were introduced. A few research efforts on the defense techniques were described in order to provoke further research efforts in this critical area.