Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap

Add code
Feb 27, 2020
Jiacheng Li, Ninghui Li, Bruno Ribeiro
Figure 1 for Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap
Figure 2 for Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap
Figure 3 for Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap
Figure 4 for Membership Inference Attacks and Defenses in Supervised Learning via Generalization Gap

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon

This work studies membership inference (MI) attack against classifiers, where the attacker's goal is to determine whether a data instance was used for training the classifier. While it is known that overfitting makes classifiers susceptible to MI attacks, we showcase a simple numerical relationship between the generalization gap---the difference between training and test accuracies---and the classifier's vulnerability to MI attacks---as measured by an MI attack's accuracy gain over a random guess. We then propose to close the gap by matching the training and validation accuracies during training, by means of a new {\em set regularizer} using the Maximum Mean Discrepancy between the softmax output empirical distributions of the training and validation sets. Our experimental results show that combining this approach with another simple defense (mix-up training) significantly improves state-of-the-art defense against MI attacks, with minimal impact on testing accuracy.

View paper onarxiv icon

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon