机器学习模型的隐私已成为许多新兴的机器学习应用程序中的重要问题，在这些应用程序中，基于训练有素的模型的预测服务通过按要求提供给用户。缺乏防御机制可以对服务器模型的隐私施加高风险，因为对手可以通过仅查询几个“好”数据点来有效地窃取模型。服务器的防御与对手的攻击之间的相互作用不可避免地导致了军备竞赛的困境，正如对抗机器学习中通常看到的那样。为了从良性用户的观点和隐私从对手的角度研究模型效用之间的基本权衡，我们开发了新的指标来量化此类权衡，分析其理论属性并开发优化问题，以了解最佳的对抗性攻击和防御策略。开发的概念和理论与隐私与效用之间的“均衡”有关的经验发现匹配。在优化方面，启用我们的结果的关键要素是对攻击防御问题的统一表示为Min-Max Bi级问题。开发的结果将通过示例和实验来证明。

在模型提取攻击中，对手可以通过反复查询并根据获得的预测来窃取通过公共API暴露的机器学习模型。为了防止模型窃取，现有的防御措施专注于检测恶意查询，截断或扭曲输出，因此必然会为合法用户引入鲁棒性和模型实用程序之间的权衡。取而代之的是，我们建议通过要求用户在阅读模型的预测之前完成工作证明来阻碍模型提取。这可以通过大大增加（甚至高达100倍）来阻止攻击者，以利用查询访问模型提取所需的计算工作。由于我们校准完成每个查询的工作证明所需的努力，因此这仅为常规用户（最多2倍）引入一个轻微的开销。为了实现这一目标，我们的校准应用了来自差异隐私的工具来衡量查询揭示的信息。我们的方法不需要对受害者模型进行任何修改，可以通过机器学习从业人员来应用其公开暴露的模型免于轻易被盗。

Machine learning models leak information about the datasets on which they are trained. An adversary can build an algorithm to trace the individual members of a model's training dataset. As a fundamental inference attack, he aims to distinguish between data points that were part of the model's training set and any other data points from the same distribution. This is known as the tracing (and also membership inference) attack. In this paper, we focus on such attacks against black-box models, where the adversary can only observe the output of the model, but not its parameters. This is the current setting of machine learning as a service in the Internet.We introduce a privacy mechanism to train machine learning models that provably achieve membership privacy: the model's predictions on its training data are indistinguishable from its predictions on other data points from the same distribution. We design a strategic mechanism where the privacy mechanism anticipates the membership inference attacks. The objective is to train a model such that not only does it have the minimum prediction error (high utility), but also it is the most robust model against its corresponding strongest inference attack (high privacy). We formalize this as a min-max game optimization problem, and design an adversarial training algorithm that minimizes the classification loss of the model as well as the maximum gain of the membership inference attack against it. This strategy, which guarantees membership privacy (as prediction indistinguishability), acts also as a strong regularizer and significantly generalizes the model.We evaluate our privacy mechanism on deep neural networks using different benchmark datasets. We show that our min-max strategy can mitigate the risk of membership inference attacks (close to the random guess) with a negligible cost in terms of the classification error.

从外界培训的机器学习模型可能会被数据中毒攻击损坏，将恶意指向到模型的培训集中。对这些攻击的常见防御是数据消毒：在培训模型之前首先过滤出异常培训点。在本文中，我们开发了三次攻击，可以绕过广泛的常见数据消毒防御，包括基于最近邻居，训练损失和奇异值分解的异常探测器。通过增加3％的中毒数据，我们的攻击成功地将Enron垃圾邮件检测数据集的测试错误从3％增加到24％，并且IMDB情绪分类数据集从12％到29％。相比之下，没有明确占据这些数据消毒防御的现有攻击被他们击败。我们的攻击基于两个想法：（i）我们协调我们的攻击将中毒点彼此放置在彼此附近，（ii）我们将每个攻击制定为受限制的优化问题，限制旨在确保中毒点逃避检测。随着这种优化涉及解决昂贵的Bilevel问题，我们的三个攻击对应于基于影响功能的近似近似这个问题的方式; minimax二元性;和karush-kuhn-tucker（kkt）条件。我们的结果强调了对数据中毒攻击产生更强大的防御的必要性。

Machine learning (ML) models may be deemed confidential due to their sensitive training data, commercial value, or use in security applications. Increasingly often, confidential ML models are being deployed with publicly accessible query interfaces. ML-as-a-service ("predictive analytics") systems are an example: Some allow users to train models on potentially sensitive data and charge others for access on a pay-per-query basis.The tension between model confidentiality and public access motivates our investigation of model extraction attacks. In such attacks, an adversary with black-box access, but no prior knowledge of an ML model's parameters or training data, aims to duplicate the functionality of (i.e., "steal") the model. Unlike in classical learning theory settings, ML-as-a-service offerings may accept partial feature vectors as inputs and include confidence values with predictions. Given these practices, we show simple, efficient attacks that extract target ML models with near-perfect fidelity for popular model classes including logistic regression, neural networks, and decision trees. We demonstrate these attacks against the online services of BigML and Amazon Machine Learning. We further show that the natural countermeasure of omitting confidence values from model outputs still admits potentially harmful model extraction attacks. Our results highlight the need for careful ML model deployment and new model extraction countermeasures.

Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak specific private information in the training data to an attacker, either through the models' structure or their observable behavior. However, the underlying cause of this privacy risk is not well understood beyond a handful of anecdotal accounts that suggest overfitting and influence might play a role.This paper examines the effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We find that overfitting is sufficient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its influence, attribute inference attacks. Interestingly, our formal analysis also shows that overfitting is not necessary for these attacks and begins to shed light on what other factors may be in play. Finally, we explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks.

我们展示了一个联合学习框架，旨在强大地提供具有异构数据的各个客户端的良好预测性能。所提出的方法对基于SuperQualile的学习目标铰接，捕获异构客户端的误差分布的尾统计。我们提出了一种随机训练算法，其与联合平均步骤交织差异私人客户重新重量步骤。该提出的算法支持有限时间收敛保证，保证覆盖凸和非凸面设置。关于联邦学习的基准数据集的实验结果表明，我们的方法在平均误差方面与古典误差竞争，并且在误差的尾统计方面优于它们。

Deep learning (DL) methods have been widely applied to anomaly-based network intrusion detection system (NIDS) to detect malicious traffic. To expand the usage scenarios of DL-based methods, the federated learning (FL) framework allows multiple users to train a global model on the basis of respecting individual data privacy. However, it has not yet been systematically evaluated how robust FL-based NIDSs are against existing privacy attacks under existing defenses. To address this issue, we propose two privacy evaluation metrics designed for FL-based NIDSs, including (1) privacy score that evaluates the similarity between the original and recovered traffic features using reconstruction attacks, and (2) evasion rate against NIDSs using Generative Adversarial Network-based adversarial attack with the reconstructed benign traffic. We conduct experiments to show that existing defenses provide little protection that the corresponding adversarial traffic can even evade the SOTA NIDS Kitsune. To defend against such attacks and build a more robust FL-based NIDS, we further propose FedDef, a novel optimization-based input perturbation defense strategy with theoretical guarantee. It achieves both high utility by minimizing the gradient distance and strong privacy protection by maximizing the input distance. We experimentally evaluate four existing defenses on four datasets and show that our defense outperforms all the baselines in terms of privacy protection with up to 7 times higher privacy score, while maintaining model accuracy loss within 3% under optimal parameter combination.

联合学习是一种协作机器学习，参与客户在本地处理他们的数据，仅与协作模型共享更新。这使得能够建立隐私意识的分布式机器学习模型等。目的是通过最大程度地减少一组客户本地存储的数据集的成本函数来优化统计模型的参数。这个过程使客户遇到了两个问题：私人信息的泄漏和模型的个性化缺乏。另一方面，随着分析数据的最新进步，人们对侵犯参与客户的隐私行为的关注激增。为了减轻这种情况，差异隐私及其变体是提供正式隐私保证的标准。客户通常代表非常异构的社区，并拥有非常多样化的数据。因此，与FL社区的最新重点保持一致，以为代表其多样性的用户建立个性化模型框架，这对于防止潜在威胁免受客户的敏感和个人信息而言也是至关重要的。 $ d $ - 私人是对地理位置可区分性的概括，即最近普及的位置隐私范式，它使用了一种基于公制的混淆技术，可保留原始数据的空间分布。为了解决保护客户隐私并允许个性化模型培训以增强系统的公平性和实用性的问题，我们提出了一种提供团体隐私性的方法在FL的框架下。我们为对现实世界数据集的适用性和实验验证提供了理论上的理由，以说明该方法的工作。

鉴于对机器学习模型的访问，可以进行对手重建模型的培训数据？这项工作从一个强大的知情对手的镜头研究了这个问题，他们知道除了一个之外的所有培训数据点。通过实例化混凝土攻击，我们表明重建此严格威胁模型中的剩余数据点是可行的。对于凸模型（例如Logistic回归），重建攻击很简单，可以以封闭形式导出。对于更常规的模型（例如神经网络），我们提出了一种基于训练的攻击策略，该攻击策略接收作为输入攻击的模型的权重，并产生目标数据点。我们展示了我们对MNIST和CIFAR-10训练的图像分类器的攻击的有效性，并系统地研究了标准机器学习管道的哪些因素影响重建成功。最后，我们从理论上调查了有多差异的隐私足以通过知情对手减轻重建攻击。我们的工作提供了有效的重建攻击，模型开发人员可以用于评估超出以前作品中考虑的一般设置中的个别点的记忆（例如，生成语言模型或访问培训梯度）;它表明，标准模型具有存储足够信息的能力，以实现培训数据点的高保真重建;它表明，差异隐私可以成功减轻该参数制度中的攻击，其中公用事业劣化最小。

We introduce a tunable loss function called $\alpha$-loss, parameterized by $\alpha \in (0,\infty]$, which interpolates between the exponential loss ($\alpha = 1/2$), the log-loss ($\alpha = 1$), and the 0-1 loss ($\alpha = \infty$), for the machine learning setting of classification. Theoretically, we illustrate a fundamental connection between $\alpha$-loss and Arimoto conditional entropy, verify the classification-calibration of $\alpha$-loss in order to demonstrate asymptotic optimality via Rademacher complexity generalization techniques, and build-upon a notion called strictly local quasi-convexity in order to quantitatively characterize the optimization landscape of $\alpha$-loss. Practically, we perform class imbalance, robustness, and classification experiments on benchmark image datasets using convolutional-neural-networks. Our main practical conclusion is that certain tasks may benefit from tuning $\alpha$-loss away from log-loss ($\alpha = 1$), and to this end we provide simple heuristics for the practitioner. In particular, navigating the $\alpha$ hyperparameter can readily provide superior model robustness to label flips ($\alpha > 1$) and sensitivity to imbalanced classes ($\alpha < 1$).

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

对抗性的鲁棒性已成为机器学习越来越兴趣的话题，因为观察到神经网络往往会变得脆弱。我们提出了对逆转防御的信息几何表述，并引入Fire，这是一种针对分类跨透明镜损失的新的Fisher-Rao正则化，这基于对应于自然和受扰动输入特征的软磁输出之间的测量距离。基于SoftMax分布类的信息几何特性，我们为二进制和多类案例提供了Fisher-Rao距离（FRD）的明确表征，并绘制了一些有趣的属性以及与标准正则化指标的连接。此外，对于一个简单的线性和高斯模型，我们表明，在精度 - 舒适性区域中的所有帕累托最佳点都可以通过火力达到，而其他最先进的方法则可以通过火灾。从经验上讲，我们评估了经过标准数据集拟议损失的各种分类器的性能，在清洁和健壮的表现方面同时提高了1 \％的改进，同时将培训时间降低了20 \％，而不是表现最好的方法。

我们考虑垂直逻辑回归（VLR）接受了迷你批次梯度下降训练，这种环境吸引了行业日益增长的兴趣，并被证明在包括金融和医学研究在内的广泛应用中很有用。我们在一系列开源联合学习框架中提供了对VLR的全面和严格的隐私分析，其中协议之间可能会有所不同，但是获得了获得本地梯度的过程。我们首先考虑了诚实而有趣的威胁模型，其中忽略了协议的详细实施，并且仅假定共享过程，我们将其作为甲骨文提取。我们发现，即使在这种一般环境下，在适当的批处理大小约束下，仍然可以从另一方恢复单维功能和标签，从而证明了遵循相同理念的所有框架的潜在脆弱性。然后，我们研究基于同态加密（HE）的协议的流行实例。我们提出了一种主动攻击，该攻击通过生成和压缩辅助密文来显着削弱对先前分析中批处理大小的约束。为了解决基于HE的协议中的隐私泄漏，我们基于差异隐私（DP）开发了一种简单的对策，并为更新的算法提供实用程序和隐私保证。最后，我们从经验上验证了我们对基准数据集的攻击和防御的有效性。总之，我们的发现表明，仅依靠他的所有垂直联合学习框架可能包含严重的隐私风险，而DP已经证明了其在水平联合学习中的力量，也可以在垂直环境中起着至关重要的作用，尤其是当耦合时使用HE或安全的多方计算（MPC）技术。

机器学习（ML）模型已广泛应用于各种应用，包括图像分类，文本生成，音频识别和图形数据分析。然而，最近的研究表明，ML模型容易受到隶属推导攻击（MIS），其目的是推断数据记录是否用于训练目标模型。 ML模型上的MIA可以直接导致隐私违规行为。例如，通过确定已经用于训练与某种疾病相关的模型的临床记录，攻击者可以推断临床记录的所有者具有很大的机会。近年来，MIS已被证明对各种ML模型有效，例如，分类模型和生成模型。同时，已经提出了许多防御方法来减轻米西亚。虽然ML模型上的MIAS形成了一个新的新兴和快速增长的研究区，但还没有对这一主题进行系统的调查。在本文中，我们对会员推论和防御进行了第一个全面调查。我们根据其特征提供攻击和防御的分类管理，并讨论其优点和缺点。根据本次调查中确定的限制和差距，我们指出了几个未来的未来研究方向，以激发希望遵循该地区的研究人员。这项调查不仅是研究社区的参考，而且还为该研究领域之外的研究人员带来了清晰的照片。为了进一步促进研究人员，我们创建了一个在线资源存储库，并与未来的相关作品继续更新。感兴趣的读者可以在https://github.com/hongshenghu/membership-inference-machine-learning-literature找到存储库。

联合学习使多个用户能够通过共享其模型更新（渐变）来构建联合模型，而其原始数据在其设备上保持本地。与常见的信念相比，这提供了隐私福利，我们在共享渐变时，我们在这里增加了隐私风险的最新结果。具体而言，我们调查梯度（LLG）的标签泄漏，这是一种新建攻击，从他们的共享梯度提取用户培训数据的标签。该攻击利用梯度的方向和幅度来确定任何标签的存在或不存在。 LLG简单且有效，能够泄漏由标签表示的电位敏感信息，并缩放到任意批量尺寸和多个类别。在数学上以及经验上证明了不同设置下攻击的有效性。此外，经验结果表明，LLG在模型训练的早期阶段以高精度成功提取标签。我们还讨论了针对这种泄漏的不同防御机制。我们的研究结果表明，梯度压缩是减轻攻击的实用技术。

Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications.However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains.In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.

在联合学习中，多个客户端设备联合学习机器学习模型：每个客户端设备都为其本地训练数据集维护本地模型，而主设备通过从客户端设备聚合本地模型维护全局模型。该机器学习界最近提出了几种联合学习方法，该方法被声称对某些客户端设备的拜占庭故障（例如，系统故障，对抗性操纵）具有稳健。在这项工作中，我们对局部模型中毒攻击进行了第一个系统研究对联邦学习。我们假设攻击者已损害某些客户端设备，并且攻击者在学习过程中操纵受损客户端设备上的本地模型参数，使得全局模型具有大的测试错误率。我们将我们的攻击制订为优化问题，并将我们的攻击应用于四个最近的拜占庭式联邦学习方法。我们在四个真实数据集中的经验结果表明，我们的攻击可以大大增加由联合学习方法学到的模型的错误率，这些方法被声称对某些客户端设备的拜占庭式失败具有强大的稳健性。我们概括了数据中毒攻击的两个防御，以防御我们当地的模型中毒攻击。我们的评价结果​​表明，在某些情况下，一个防御可以有效地防御我们的攻击，但在其他情况下，防御不足，突出了对我们当地模型中毒攻击对联合学习的新防御的必要性。

成本敏感的分类对于错误分类错误的成本差异很大，至关重要。但是，过度参数化对深神经网络（DNNS）的成本敏感建模构成了基本挑战。 DNN完全插值训练数据集的能力可以渲染DNN，纯粹在训练集上进行评估，无效地区分了成本敏感的解决方案和其总体准确性最大化。这需要重新思考DNN中的成本敏感分类。为了应对这一挑战，本文提出了一个具有成本敏感的对抗数据增强（CSADA）框架，以使过度参数化的模型成本敏感。总体想法是生成针对性的对抗示例，以推动成本感知方向的决策边界。这些有针对性的对抗样本是通过最大化关键分类错误的可能性而产生的，并用于训练一个模型，以更加保守的对成对的决策。公开可用的有关著名数据集和药物药物图像（PMI）数据集的实验表明，我们的方法可以有效地最大程度地减少整体成本并减少关键错误，同时在整体准确性方面达到可比的性能。

考虑了垂直联合学习，其中一个活跃的聚会可以访问真正的班级标签，希望通过利用无源派对的更多功能来构建分类模型，该聚会无法访问标签，以提高模型的准确性。在预测阶段，以逻辑回归为分类模型，提出了几种推理攻击技术，即可以采用对手，即主动方来重建被视为敏感信息的被动方的特征。这些攻击主要基于集合中心的经典概念，即Chebyshev中心，被证明比文献中提出的那些优越。此外，为上述攻击提供了几种理论性能保证。随后，我们考虑对手完全重建被动方所需的最小信息。特别是，当被动方拥有一项功能时，并且对手只意识到所涉及的参数的符号时，当预测数量足够大时，它可以完美地重建该功能。接下来，作为一种防御机制，提出了两种保护隐私的计划，使对手的重建攻击恶化，同时保留了VFL带来的全部好处。最后，实验结果证明了拟议的攻击和保护隐私方案的有效性。