1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
In this section we introduce key notions as well as previous works on which we base our study.
\subsection{Machine learning and classification}
In classification tasks, a machine learning model is a function that maps features of a data record to its label.
This function has an architecture which describes the structure of the internal computing as well as parameters.
For instance with mono dimensional data, the affine model is $f(x) = ax+b$ where $x$ is the feature and $a$ and $b$ are the parameters.
In general the range of $f$ is $\mathbb{R}$ and we call $f(x)$ the soft label or the logit of $x$.
Because classification problems require discrete values, we apply a threshold to the soft label under which the predicted label is 0 and above which it is 1.
Training a machine learning model means using an optimization algorithm that will find optimal parameters to minimize a loss function $l$.
In the previous example, the optimization problem is $\text{min}_{(a,b)\in\mathbb{R}^2}l(f(x),y)$ where $y$ is the ground truth: the label of $x$ in the dataset.
\subsection{Synthetic data}
A generator is a function that takes as input a real dataset and outputs a synthetic dataset.
This definition is general enough so that the identity function is a generator.
Even though synthetic datasets are supposedly different than real world datasets.
We refer to the output of the identity generator as real data while referring to the output of another generator as synthetic data.
In addition to the identity generator we use General Adversarial Networks (GAN)~\cite{gan}.
The goal of a GAN is to generate realistic samples given a distribution of multivariate data.
To do so a GAN leverages two neural networks: a generator and a discriminator.
The domain of the generator (its input space) is of low dimension with respect to its codomain (its output space) which has the same dimension as the data we want to generate.
For instance with 64 by 64 images, the codomain is a matrix with 64 rows and 64 columns.
To generate a new sample, we evaluate the generator on a sample of a multivariate standard normal distribution where the dimension is the domain's dimension.
This output is the new generated synthetic data point.
The discriminator is only used when training the GAN with the goal of making sure that the generator produces realistic data.
To do so, the discriminator is a neural network with a classification goal: infer if a sample is synthetic or real.
Hence in the training procedure, the discriminator and the generator are in competition: the generator goal is to fool the discriminator into classifying synthetic data as real data.
\subsection{Membership inference attack}
This attack infers the membership status: whether a data record has been used in the training (member $m$) of a machine learning model or not (non-member $\bar{m}$).
%Shadow model
In practice, this attack is made by leveraging shadow models: models that imitates the behaviour of the target~\cite{shokri2017membership}.
This technique allows an attacker to construct a dataset of logits and ground truth labels by the membership status.
%Yeom et all
Overfitting is one of the major historical difficulties of machine learning~\cite{hawkins2004problem}.
The generalization error is the difference between the average loss of members and the average loss of non-members.
The greater this error, the more the model overfits.
Yeom et all. show that overfitting is the major factor that allow membership inference attack~\cite{yeom}.
They build an attack that assume the attacker has access to a dataset of losses labeled by the membership status.
It allows them to build a model to infer the membership status from the losses of the data records.
%DP
Differential privacy is a probabilistic definition that bound membership inference attack's success.
In practice, those guaranties are achieved through gradient clipping and additive noise in the training algorithm~\cite{abadi2016deep}.
\subsection{Attribute inference attack}
Model predictions and especially soft labels can be dependent on a sensitive attribute such as race or sex.
For instance, the prediction of recidivism in predictive justice is dependent on the race of the guilty~\cite{EO}.
Attribute inference attack (AIA) leverage bias in model predictions to infer sensitive attributes of data records~\cite{song2020overlearning}.
|
