Although query-based systems (QBS) have become one of the main solutions to share data anonymously, building QBSes that robustly protect the privacy of individuals contributing to the dataset is a hard problem. Theoretical solutions relying on differential privacy guarantees are difficult to implement correctly with reasonable accuracy, while ad-hoc solutions might contain unknown vulnerabilities. Evaluating the privacy provided by QBSes must thus be done by evaluating the accuracy of a wide range of privacy attacks. However, existing attacks require time and expertise to develop, need to be manually tailored to the specific systems attacked, and are limited in scope. In this paper, we develop QuerySnout (QS), the first method to automatically discover vulnerabilities in QBSes. QS takes as input a target record and the QBS as a black box, analyzes its behavior on one or more datasets, and outputs a multiset of queries together with a rule to combine answers to them in order to reveal the sensitive attribute of the target record. QS uses evolutionary search techniques based on a novel mutation operator to find a multiset of queries susceptible to lead to an attack, and a machine learning classifier to infer the sensitive attribute from answers to the queries selected. We showcase the versatility of QS by applying it to two attack scenarios, three real-world datasets, and a variety of protection mechanisms. We show the attacks found by QS to consistently equate or outperform, sometimes by a large margin, the best attacks from the literature. We finally show how QS can be extended to QBSes that require a budget, and apply QS to a simple QBS based on the Laplace mechanism. Taken together, our results show how powerful and accurate attacks against QBSes can already be found by an automated system, allowing for highly complex QBSes to be automatically tested "at the pressing of a button".

机器学习模型越来越多地被世界各地的企业和组织用于自动化任务和决策。在潜在敏感的数据集上培训，已经显示了机器学习模型来泄露数据集中的个人信息以及全局数据集信息。我们在这里通过提出针对ML模型的新攻击来进一步研究数据集财产推理攻击一步：数据集相关推理攻击，其中攻击者的目标是推断模型的输入变量之间的相关性。我们首先表明攻击者可以利用相关矩阵的球面参数化，以进行明智的猜测。这意味着仅使用输入变量与目标变量之间的相关性，攻击者可以推断出两个输入变量之间的相关性，而不是随机猜测基线。我们提出了第二次攻击，利用暗影建模来利用机器学习模型来改进猜测。我们的攻击采用基于高斯opula的生成建模来生成具有各种相关性的合成数据集，以便为相关推断任务培训Meta-Model。我们评估我们对逻辑回归和多层Perceptron模型的攻击，并显示出胜过模型的攻击。我们的研究结果表明，基于机器的准确性，基于机器学习的攻击随着变量的数量而减少，并达到模型攻击的准确性。然而，无论变量的数量如何，与目标变量高度相关的输入变量之间的相关性更易受攻击。我们的工作桥梁可以考虑训练数据集和个人级泄漏的全球泄漏之间的差距。当加上边缘泄漏攻击时，它也可能构成数据集重建的第一步。

Differential privacy is a strong notion for privacy that can be used to prove formal guarantees, in terms of a privacy budget, , about how much information is leaked by a mechanism. However, implementations of privacy-preserving machine learning often select large values of in order to get acceptable utility of the model, with little understanding of the impact of such choices on meaningful privacy. Moreover, in scenarios where iterative learning procedures are used, differential privacy variants that offer tighter analyses are used which appear to reduce the needed privacy budget but present poorly understood trade-offs between privacy and utility. In this paper, we quantify the impact of these choices on privacy in experiments with logistic regression and neural network models. Our main finding is that there is a huge gap between the upper bounds on privacy loss that can be guaranteed, even with advanced mechanisms, and the effective privacy loss that can be measured using current inference attacks. Current mechanisms for differentially private machine learning rarely offer acceptable utility-privacy trade-offs with guarantees for complex learning tasks: settings that provide limited accuracy loss provide meaningless privacy guarantees, and settings that provide strong privacy guarantees result in useless models.

除了近年来数据收集和分析技术的快速开发外，还越来越强调需要解决与此类数据使用相关的信息泄漏。为此，隐私文献中的许多工作都致力于保护个人用户和数据贡献者。但是，某些情况需要不同的数据机密性概念，涉及数据集记录的全局属性。这样的信息保护概念尤其适用于业务和组织数据，在这些数据中，全球财产可能反映商业秘密或人口统计数据，如果不当行为可能是有害的。最新关于财产推断攻击的工作还显示了数据分析算法如何容易泄漏数据的这些全局性能，从而强调了开发可以保护此类信息的机制的重要性。在这项工作中，我们演示了如何应用分发隐私框架来形式化保护数据集的全球属性的问题。鉴于此框架，我们研究了一些提供数据机密性概念的机制及其权衡。我们分析了这些机制在各种数据假设下提供的理论保护保证，然后对几个数据分析任务进行实施并经验评估这些机制。我们的实验结果表明，我们的机制确实可以降低实用性推理攻击的有效性，同时提供的实用性大大超过了原油差异的隐私基线。因此，我们的工作为保护数据集的全球性质的理论支持机制提供了基础。

Machine learning algorithms, when applied to sensitive data, pose a distinct threat to privacy. A growing body of prior work demonstrates that models produced by these algorithms may leak specific private information in the training data to an attacker, either through the models' structure or their observable behavior. However, the underlying cause of this privacy risk is not well understood beyond a handful of anecdotal accounts that suggest overfitting and influence might play a role.This paper examines the effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks. Using both formal and empirical analyses, we illustrate a clear relationship between these factors and the privacy risk that arises in several popular machine learning algorithms. We find that overfitting is sufficient to allow an attacker to perform membership inference and, when the target attribute meets certain conditions about its influence, attribute inference attacks. Interestingly, our formal analysis also shows that overfitting is not necessary for these attacks and begins to shed light on what other factors may be in play. Finally, we explore the connection between membership inference and attribute inference, showing that there are deep connections between the two that lead to effective new attacks.

鉴于对机器学习模型的访问，可以进行对手重建模型的培训数据？这项工作从一个强大的知情对手的镜头研究了这个问题，他们知道除了一个之外的所有培训数据点。通过实例化混凝土攻击，我们表明重建此严格威胁模型中的剩余数据点是可行的。对于凸模型（例如Logistic回归），重建攻击很简单，可以以封闭形式导出。对于更常规的模型（例如神经网络），我们提出了一种基于训练的攻击策略，该攻击策略接收作为输入攻击的模型的权重，并产生目标数据点。我们展示了我们对MNIST和CIFAR-10训练的图像分类器的攻击的有效性，并系统地研究了标准机器学习管道的哪些因素影响重建成功。最后，我们从理论上调查了有多差异的隐私足以通过知情对手减轻重建攻击。我们的工作提供了有效的重建攻击，模型开发人员可以用于评估超出以前作品中考虑的一般设置中的个别点的记忆（例如，生成语言模型或访问培训梯度）;它表明，标准模型具有存储足够信息的能力，以实现培训数据点的高保真重建;它表明，差异隐私可以成功减轻该参数制度中的攻击，其中公用事业劣化最小。

差异隐私通常使用比理论更大的隐私参数应用于理想的理想。已经提出了宽大隐私参数的各种非正式理由。在这项工作中，我们考虑了部分差异隐私（DP），该隐私允许以每个属性为基础量化隐私保证。在此框架中，我们研究了几个基本数据分析和学习任务，并设计了其每个属性隐私参数的算法，其较小的人（即所有属性）的最佳隐私参数比最佳的隐私参数。

模型可以公开有关其培训数据的敏感信息。在属性推理攻击中，对手对某些培训记录有部分知识，并访问了对这些记录进行培训的模型，并渗透了这些记录敏感功能的未知值。我们研究了一种属性推理的细粒变体，我们称为\ emph {敏感值推理}，其中对手的目标是高度置信度识别一些来自候选人集的记录，其中未知属性具有特定的敏感值。我们将属性推断与捕获培训分布统计数据的数据插补进行明确比较，该数据在对对手可用的培训数据的各种假设下进行了比较。我们的主要结论是：（1）以前的属性推理方法并没有比对手可以推断出有关训练数据的训练数据的更多信息，而无需访问训练的模型，而是对培训所需的基础分布相同的知识属性推理攻击； （2）Black-Box属性推理攻击很少学习没有模型的任何东西；但是（3）我们在论文中介绍和评估的白框攻击可以可靠地识别一些具有敏感值属性的记录，而这些记录在不访问模型的情况下无法预测。此外，我们表明提出的防御措施，例如私人培训和从培训中删除脆弱记录不会减轻这种隐私风险。我们的实验代码可在\ url {https://github.com/bargavj/evaluatingdpml}上获得。

When analyzing confidential data through a privacy filter, a data scientist often needs to decide which queries will best support their intended analysis. For example, an analyst may wish to study noisy two-way marginals in a dataset produced by a mechanism M1. But, if the data are relatively sparse, the analyst may choose to examine noisy one-way marginals, produced by a mechanism M2 instead. Since the choice of whether to use M1 or M2 is data-dependent, a typical differentially private workflow is to first split the privacy loss budget rho into two parts: rho1 and rho2, then use the first part rho1 to determine which mechanism to use, and the remainder rho2 to obtain noisy answers from the chosen mechanism. In a sense, the first step seems wasteful because it takes away part of the privacy loss budget that could have been used to make the query answers more accurate. In this paper, we consider the question of whether the choice between M1 and M2 can be performed without wasting any privacy loss budget. For linear queries, we propose a method for decomposing M1 and M2 into three parts: (1) a mechanism M* that captures their shared information, (2) a mechanism M1' that captures information that is specific to M1, (3) a mechanism M2' that captures information that is specific to M2. Running M* and M1' together is completely equivalent to running M1 (both in terms of query answer accuracy and total privacy cost rho). Similarly, running M* and M2' together is completely equivalent to running M2. Since M* will be used no matter what, the analyst can use its output to decide whether to subsequently run M1'(thus recreating the analysis supported by M1) or M2'(recreating the analysis supported by M2), without wasting privacy loss budget.

从公共机器学习（ML）模型中泄漏数据是一个越来越重要的领域，因为ML的商业和政府应用可以利用多个数据源，可能包括用户和客户的敏感数据。我们对几个方面的当代进步进行了全面的调查，涵盖了非自愿数据泄漏，这对ML模型很自然，潜在的恶毒泄漏是由隐私攻击引起的，以及目前可用的防御机制。我们专注于推理时间泄漏，这是公开可用模型的最可能场景。我们首先在不同的数据，任务和模型体系结构的背景下讨论什么是泄漏。然后，我们提出了跨非自愿和恶意泄漏的分类法，可用的防御措施，然后进行当前可用的评估指标和应用。我们以杰出的挑战和开放性的问题结束，概述了一些有希望的未来研究方向。

A reconstruction attack on a private dataset $D$ takes as input some publicly accessible information about the dataset and produces a list of candidate elements of $D$. We introduce a new class of data reconstruction attacks based on randomized methods for non-convex optimization. We empirically demonstrate that our attacks can not only reconstruct full rows of $D$ from aggregate query statistics $Q(D)\in \mathbb{R}^m$, but can do so in a way that reliably ranks reconstructed rows by their odds of appearing in the private data, providing a signature that could be used for prioritizing reconstructed rows for further actions such as identify theft or hate crime. We also design a sequence of baselines for evaluating reconstruction attacks. Our attacks significantly outperform those that are based only on access to a public distribution or population from which the private dataset $D$ was sampled, demonstrating that they are exploiting information in the aggregate statistics $Q(D)$, and not simply the overall structure of the distribution. In other words, the queries $Q(D)$ are permitting reconstruction of elements of this dataset, not the distribution from which $D$ was drawn. These findings are established both on 2010 U.S. decennial Census data and queries and Census-derived American Community Survey datasets. Taken together, our methods and experiments illustrate the risks in releasing numerically precise aggregate statistics of a large dataset, and provide further motivation for the careful application of provably private techniques such as differential privacy.

在其培训集中，给定训练有素的模型泄漏了多少培训模型泄露？会员资格推理攻击用作审计工具，以量化模型在其训练集中泄漏的私人信息。会员推理攻击受到不同不确定性的影响，即攻击者必须解决培训数据，培训算法和底层数据分布。因此，攻击成功率，在文献中的许多攻击，不要精确地捕获模型的信息泄漏关于他们的数据，因为它们还反映了攻击算法具有的其他不确定性。在本文中，我们解释了隐含的假设以及使用假设检测框架在现有工作中进行的简化。我们还从框架中获得了新的攻击算法，可以实现高AUC分数，同时还突出显示影响其性能的不同因素。我们的算法捕获模型中隐私损失的非常精确的近似，并且可以用作在机器学习模型中执行准确和了解的隐私风险的工具。我们对各种机器学习任务和基准数据集的攻击策略提供了彻底的实证评估。

We initiate the study of privacy in pharmacogenetics, wherein machine learning models are used to guide medical treatments based on a patient's genotype and background. Performing an in-depth case study on privacy in personalized warfarin dosing, we show that suggested models carry privacy risks, in particular because attackers can perform what we call model inversion: an attacker, given the model and some demographic information about a patient, can predict the patient's genetic markers.As differential privacy (DP) is an oft-proposed solution for medical settings such as this, we evaluate its effectiveness for building private versions of pharmacogenetic models. We show that DP mechanisms prevent our model inversion attacks when the privacy budget is carefully selected. We go on to analyze the impact on utility by performing simulated clinical trials with DP dosing models. We find that for privacy budgets effective at preventing attacks, patients would be exposed to increased risk of stroke, bleeding events, and mortality. We conclude that current DP mechanisms do not simultaneously improve genomic privacy while retaining desirable clinical efficacy, highlighting the need for new mechanisms that should be evaluated in situ using the general methodology introduced by our work.

属性推理攻击使对手可以从机器学习模型中提取培训数据集的全局属性。此类攻击对共享数据集来培训机器学习模型的数据所有者具有隐私影响。已经提出了几种针对深神经网络的财产推理攻击的现有方法，但它们都依靠攻击者训练大量的影子模型，这会导致大型计算开销。在本文中，我们考虑了攻击者可以毒化训练数据集的子集并查询训练有素的目标模型的属性推理攻击的设置。通过我们对中毒下模型信心的理论分析的激励，我们设计了有效的财产推理攻击，SNAP，该攻击获得了更高的攻击成功，并且需要比Mahloujifar Et的基于最先进的中毒的财产推理攻击更高的中毒量。 al。例如，在人口普查数据集上，SNAP的成功率比Mahloujifar等人高34％。同时更快56.5倍。我们还扩展了攻击，以确定在培训中是否根本存在某个财产，并有效地估算了利息财产的确切比例。我们评估了对四个数据集各种比例的多种属性的攻击，并证明了Snap的一般性和有效性。

We quantitatively investigate how machine learning models leak information about the individual data records on which they were trained. We focus on the basic membership inference attack: given a data record and black-box access to a model, determine if the record was in the model's training dataset. To perform membership inference against a target model, we make adversarial use of machine learning and train our own inference model to recognize differences in the target model's predictions on the inputs that it trained on versus the inputs that it did not train on.We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.

想象一组愿意集体贡献他们的个人数据的公民，以获得共同的益处，以产生社会有用的信息，由数据分析或机器学习计算产生。使用执行计算的集中式服务器共享原始的个人数据可能会引发对隐私和感知风险的担忧。相反，公民可以相互信任，并且他们自己的设备可以参与分散的计算，以协同生成要共享的聚合数据释放。在安全计算节点在运行时在安全信道交换消息的上下文中，密钥安全问题是保护对观察流量的外部攻击者，其对数据的依赖可以揭示个人信息。现有解决方案专为云设置而设计，目标是隐藏底层数据集的所有属性，并且不解决上述背景下出现的特定隐私和效率挑战。在本文中，我们定义了一般执行模型，以控制用户侧分散计算中通信的数据依赖性，其中通过组合在局部节点的局部集群上的保证来分析全局执行计划中的差异隐私保证。我们提出了一系列算法，可以在隐私，效用和效率之间进行权衡。我们的正式隐私保障利用，并通过洗牌延长隐私放大的结果。我们说明了我们对具有数据依赖通信的分散执行计划的两个代表性示例的提案的有用性。

大量工作表明，机器学习（ML）模型可以泄漏有关其培训数据的敏感或机密信息。最近，由于分布推断（或属性推断）攻击引起的泄漏正在引起人们的注意。在此攻击中，对手的目标是推断有关培训数据的分配信息。到目前为止，对分布推理的研究集中在证明成功的攻击上，而很少注意确定泄漏的潜在原因和提出缓解。为了弥合这一差距，作为我们的主要贡献，我们从理论和经验上分析了信息泄漏的来源，这使对手能够进行分布推理攻击。我们确定泄漏的三个来源：（1）记住有关$ \ mathbb {e} [y | x] $（给定特征值的预期标签）的特定信息，（（2）模型的错误归纳偏置，以及（3）培训数据的有限性。接下来，根据我们的分析，我们提出了针对分配推理攻击的原则缓解技术。具体而言，我们证明了因果学习技术比相关学习方法更适合特定类型的分布推理所谓的分配构件推理。最后，我们提出了分布推断的形式化，该推论允许对比以前更多的一般对手进行推理。

Machine learning (ML) models may be deemed confidential due to their sensitive training data, commercial value, or use in security applications. Increasingly often, confidential ML models are being deployed with publicly accessible query interfaces. ML-as-a-service ("predictive analytics") systems are an example: Some allow users to train models on potentially sensitive data and charge others for access on a pay-per-query basis.The tension between model confidentiality and public access motivates our investigation of model extraction attacks. In such attacks, an adversary with black-box access, but no prior knowledge of an ML model's parameters or training data, aims to duplicate the functionality of (i.e., "steal") the model. Unlike in classical learning theory settings, ML-as-a-service offerings may accept partial feature vectors as inputs and include confidence values with predictions. Given these practices, we show simple, efficient attacks that extract target ML models with near-perfect fidelity for popular model classes including logistic regression, neural networks, and decision trees. We demonstrate these attacks against the online services of BigML and Amazon Machine Learning. We further show that the natural countermeasure of omitting confidence values from model outputs still admits potentially harmful model extraction attacks. Our results highlight the need for careful ML model deployment and new model extraction countermeasures.

近年来，关于如何在公平限制下学习机器学习模型的越来越多的工作，通常在某些敏感属性方面表达。在这项工作中，我们考虑了对手对目标模型具有黑箱访问的设置，并表明对手可以利用有关该模型公平性的信息，以增强他对训练数据敏感属性的重建。更确切地说，我们提出了一种通用的重建校正方法，该方法将其作为对手进行的初始猜测，并纠正它以符合某些用户定义的约束（例如公平信息），同时最大程度地减少了对手猜测的变化。提出的方法对目标模型的类型，公平感知的学习方法以及对手的辅助知识不可知。为了评估我们的方法的适用性，我们对两种最先进的公平学习方法进行了彻底的实验评估，使用四个具有广泛公差的不同公平指标以及三个不同大小和敏感属性的数据集。实验结果证明了提出的方法改善训练集敏感属性的重建的有效性。

我们研究私有综合数据生成查询版本，其中目标是构建差异隐私的敏感数据集的消毒版本，这大致保留了大量统计查询的答案。我们首先介绍一个算法框架，统一文献中的长线迭代算法。在此框架下，我们提出了两种新方法。第一种方法，私人熵投影（PEP），可以被视为MWEM的高级变体，可自适应地重复使用过去查询测量以提高精度。我们的第二种方法，具有指数机制（GEM）的生成网络，通过优化由神经网络参数化的生成模型来避免MWEM和PEP等算法中的计算瓶颈，该分布族捕获了丰富的分布系列，同时实现了快速的基于梯度的优化。我们展示了PEP和GEM经验胜过现有算法。此外，我们表明宝石很好地纳入了公共数据的先前信息，同时克服了PMW ^ PUB的限制，现有的现有方法也利用公共数据。