skip to main content

Explore Research Products in the NSF-PAR

Title: Revisiting Membership Inference Under Realistic Assumptions
Abstract We study membership inference in settings where assumptions commonly used in previous research are relaxed. First, we consider cases where only a small fraction of the candidate pool targeted by the adversary are members and develop a PPV-based metric suitable for this setting. This skewed prior setting is more realistic than the balanced prior setting typically considered. Second, we consider adversaries that select inference thresholds according to their attack goals, such as identifying as many members as possible with a given false positive tolerance. We develop a threshold selection designed for achieving particular attack goals. Since previous inference attacks fail in imbalanced prior settings, we develop new inference attacks based on the intuition that inputs corresponding to training set members will be near a local minimum in the loss function. An attack that combines this with thresholds on the per-instance loss can achieve high PPV even in settings where other attacks are ineffective.  more » « less
Award ID(s):
1717950
NSF-PAR ID:
10302950
Author(s) / Creator(s):
 ;  ;  ;  ;  
Date Published:
Journal Name:
Proceedings on Privacy Enhancing Technologies
Volume:
2021
Issue:
2
ISSN:
2299-0984
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; ; ; ( , 2019 Resilience Week (RWS))
    Recent advances in machine learning enable wider applications of prediction models in cyber-physical systems. Smart grids are increasingly using distributed sensor settings for distributed sensor fusion and information processing. Load forecasting systems use these sensors to predict future loads to incorporate into dynamic pricing of power and grid maintenance. However, these inference predictors are highly complex and thus vulnerable to adversarial attacks. Moreover, the adversarial attacks are synthetic norm-bounded modifications to a limited number of sensors that can greatly affect the accuracy of the overall predictor. It can be much cheaper and effective to incorporate elements of security and resilience at the earliest stages of design. In this paper, we demonstrate how to analyze the security and resilience of learning-based prediction models in power distribution networks by utilizing a domain-specific deep-learning and testing framework. This framework is developed using DeepForge and enables rapid design and analysis of attack scenarios against distributed smart meters in a power distribution network. It runs the attack simulations in the cloud backend. In addition to the predictor model, we have integrated an anomaly detector to detect adversarial attacks targeting the predictor. We formulate the stealthy adversarial attacks as an optimization problem to maximize prediction loss while minimizing the required perturbations. Under the worst-case setting, where the attacker has full knowledge of both the predictor and the detector, an iterative attack method has been developed to solve for the adversarial perturbation. We demonstrate the framework capabilities using a GridLAB-D based power distribution network model and show how stealthy adversarial attacks can affect smart grid prediction systems even with a partial control of network. 
    more » « less
  2. ; ; ; ( , Proceedings of the Frontiers in Education Conference (FIE))
    Commitment is a multi-dimensional construct that has been extensively researched in the context of organizations. Organizational and professional commitment have been positively associated with technical performance, client service, attention to detail, and degree of involvement with one’s job. However, there is a relative dearth of research in terms of team commitment, especially in educational settings. Teamwork is considered a 21stcentury skill and higher education institutions are focusing on helping students to develop teamwork skills by applied projects in the coursework. But studies have demonstrated that creating a team is not enough to help students build teamwork skills. Literature supports the use of team contracts to bolster commitment, among team members. However, the relationship between team contracts and team commitment has not been formally operationalized.This research category study presents a mixed-methods approach towards characterizing and operationalizing team commitment exhibited by students enrolled in a sophomore-level systems analysis and design course by analyzing team contracts and team retrospective reflections. The course covers concepts pertaining to information systems development and includes a semester-long team project where the students work together in four or five member teams to develop the project deliverables. The students have prior software development experiences through an introductory systems development course as well as multiple programming courses. The data for this study was collected through the team contracts signed by students belonging to one of the 23 teams of this course. The study aims to answer the following research question: How can team commitment be characterized in a sophomore-level system analysis and design course among the student teams?A rubric was developed to quantify the team commitment levels of students based on their responses on the team contracts. Students were classified as high or low commitment based on the rubric scores. The emergent themes of high and low commitment teams were also presented. The results indicated that the high commitment teams were focused on setting goals, effective communication, and having mechanisms in place for timely feedback and improvement. On the other hand, low commitment teams did not articulate the goals of the project, they demonstrated a lack of dedication for attending team meetings regularly, working as a team, and had a lack of proper coordination while working together. 
    more » « less
  3. ; ; ; ( , Advances in neural information processing systems)
    Collaborative inference leverages diverse features provided by different agents (e.g., sensors) for more accurate inference. A common setup is where each agent sends its embedded features instead of the raw data to the Fusion Center (FC) for joint prediction. In this setting, we consider the inference-time attacks when a small fraction of agents are compromised. The compromised agent either does not send embedded features to the FC, or sends arbitrarily embedded features. To address this, we propose a certifiably robust COllaborative inference framework via feature PURification (CoPur), by leveraging the block-sparse nature of adversarial perturbations on the feature vector, as well as exploring the underlying redundancy across the embedded features (by assuming the overall features lie on an underlying lower dimensional manifold). We theoretically show that the proposed feature purification method can robustly recover the true feature vector, despite adversarial corruptions and/or incomplete observations. We also propose and test an untargeted distributed feature-flipping attack, which is agnostic to the model, training data, label, as well as the features held by other agents, and is shown to be effective in attacking state-of-the-art defenses. Experiments on ExtraSensory and NUS-WIDE datasets show that CoPur significantly outperforms existing defenses in terms of robustness against targeted and untargeted adversarial attacks. 
    more » « less
  4. ; ; ; ; ( , Accepted at SaTML 2023 arXiv:2212.07591)
    Abstract—A distribution inference attack aims to infer statistical properties of data used to train machine learning models. These attacks are sometimes surprisingly potent, but the factors that impact distribution inference risk are not well understood and demonstrated attacks often rely on strong and unrealistic assumptions such as full knowledge of training environments even in supposedly black-box threat scenarios. To improve understanding of distribution inference risks, we develop a new black-box attack that even outperforms the best known white-box attack in most settings. Using this new attack, we evaluate distribution inference risk while relaxing a variety of assumptions about the adversary’s knowledge under black-box access, like known model architectures and label-only access. Finally, we evaluate the effectiveness of previously proposed defenses and introduce new defenses. We find that although noise-based defenses appear to be ineffective, a simple re-sampling defense can be highly effective. I 
    more » « less
  5. ; ; ; ( , ArXiv.org. SaTML 2023)
    —A distribution inference attack aims to infer statistical properties of data used to train machine learning models. These attacks are sometimes surprisingly potent, but the factors that impact distribution inference risk are not well understood and demonstrated attacks often rely on strong and unrealistic assumptions such as full knowledge of training environments even in supposedly black-box threat scenarios. To improve understanding of distribution inference risks, we develop a new black-box attack that even outperforms the best known white-box attack in most settings. Using this new attack, we evaluate distribution inference risk while relaxing a variety of assumptions about the adversary’s knowledge under black-box access, like known model architectures and label-only access. Finally, we evaluate the effectiveness of previously proposed defenses and introduce new defenses. We find that although noise-based defenses appear to be ineffective, a simple re-sampling defense can be highly effective. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email