基于云的机器学习服务（CMLS）使组织能够利用大量数据预先培训的先进模型。然而，使用这些服务的主要缺点是难以保持传输的数据私密和安全。不对称加密需要在云中解密数据，而同性恋加密通常太慢并且难以实现。我们提出了一种通过去卷积（OWSD）的一种方式扰乱（OWSD），一种基于去卷积的加扰框架，其提供了在计算开销的一小部分处的同态加密的优点。当CMLS的输出向量足够大时，对多个图像数据集的广泛评估演示了OWSD实现接近完美分类性能的能力。此外，我们还提供了对我们方法的稳健性的实证分析。

Large training data and expensive model tweaking are standard features of deep learning for images. As a result, data owners often utilize cloud resources to develop large-scale complex models, which raises privacy concerns. Existing solutions are either too expensive to be practical or do not sufficiently protect the confidentiality of data and models. In this paper, we study and compare novel \emph{image disguising} mechanisms, DisguisedNets and InstaHide, aiming to achieve a better trade-off among the level of protection for outsourced DNN model training, the expenses, and the utility of data. DisguisedNets are novel combinations of image blocktization, block-level random permutation, and two block-level secure transformations: random multidimensional projection (RMT) and AES pixel-level encryption (AES). InstaHide is an image mixup and random pixel flipping technique \cite{huang20}. We have analyzed and evaluated them under a multi-level threat model. RMT provides a better security guarantee than InstaHide, under the Level-1 adversarial knowledge with well-preserved model quality. In contrast, AES provides a security guarantee under the Level-2 adversarial knowledge, but it may affect model quality more. The unique features of image disguising also help us to protect models from model-targeted attacks. We have done an extensive experimental evaluation to understand how these methods work in different settings for different datasets.

We quantitatively investigate how machine learning models leak information about the individual data records on which they were trained. We focus on the basic membership inference attack: given a data record and black-box access to a model, determine if the record was in the model's training dataset. To perform membership inference against a target model, we make adversarial use of machine learning and train our own inference model to recognize differences in the target model's predictions on the inputs that it trained on versus the inputs that it did not train on.We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.

Deep Learning has recently become hugely popular in machine learning for its ability to solve end-to-end learning systems, in which the features and the classifiers are learned simultaneously, providing significant improvements in classification accuracy in the presence of highly-structured and large databases.Its success is due to a combination of recent algorithmic breakthroughs, increasingly powerful computers, and access to significant amounts of data.Researchers have also considered privacy implications of deep learning. Models are typically trained in a centralized manner with all the data being processed by the same training algorithm. If the data is a collection of users' private data, including habits, personal pictures, geographical positions, interests, and more, the centralized server will have access to sensitive information that could potentially be mishandled. To tackle this problem, collaborative deep learning models have recently been proposed where parties locally train their deep learning structures and only share a subset of the parameters in the attempt to keep their respective training sets private. Parameters can also be obfuscated via differential privacy (DP) to make information extraction even more challenging, as proposed by Shokri and Shmatikov at CCS'15.Unfortunately, we show that any privacy-preserving collaborative deep learning is susceptible to a powerful attack that we devise in this paper. In particular, we show that a distributed, federated, or decentralized deep learning approach is fundamentally broken and does not protect the training sets of honest participants. The attack we developed exploits the real-time nature of the learning process that allows the adversary to train a Generative Adversarial Network (GAN) that generates prototypical samples of the targeted training set that was meant to be private (the samples generated by the GAN are intended to come from the same distribution as the training data). Interestingly, we show that record-level differential privacy applied to the shared parameters of the model, as suggested in previous work, is ineffective (i.e., record-level DP is not designed to address our attack).

在模型提取攻击中，对手可以通过反复查询并根据获得的预测来窃取通过公共API暴露的机器学习模型。为了防止模型窃取，现有的防御措施专注于检测恶意查询，截断或扭曲输出，因此必然会为合法用户引入鲁棒性和模型实用程序之间的权衡。取而代之的是，我们建议通过要求用户在阅读模型的预测之前完成工作证明来阻碍模型提取。这可以通过大大增加（甚至高达100倍）来阻止攻击者，以利用查询访问模型提取所需的计算工作。由于我们校准完成每个查询的工作证明所需的努力，因此这仅为常规用户（最多2倍）引入一个轻微的开销。为了实现这一目标，我们的校准应用了来自差异隐私的工具来衡量查询揭示的信息。我们的方法不需要对受害者模型进行任何修改，可以通过机器学习从业人员来应用其公开暴露的模型免于轻易被盗。

网络威胁情报（CTI）共享是减少攻击者和捍卫者之间信息不对称的重要活动。但是，由于数据共享和机密性之间的紧张关系，这项活动带来了挑战，这导致信息保留通常会导致自由骑士问题。因此，共享的信息仅代表冰山一角。当前的文献假设访问包含所有信息的集中数据库，但是由于上述张力，这并不总是可行的。这会导致不平衡或不完整的数据集，需要使用技术扩展它们。我们展示了这些技术如何导致结果和误导性能期望。我们提出了一个新颖的框架，用于从分布式数据中提取有关事件，漏洞和妥协指标的分布式数据，并与恶意软件信息共享平台（MISP）一起证明其在几种实际情况下的使用。提出和讨论了CTI共享的政策影响。拟议的系统依赖于隐私增强技术和联合处理的有效组合。这使组织能够控制其CTI，并最大程度地减少暴露或泄漏的风险，同时为共享的好处，更准确和代表性的结果以及更有效的预测性和预防性防御能力。

Existing integrity verification approaches for deep models are designed for private verification (i.e., assuming the service provider is honest, with white-box access to model parameters). However, private verification approaches do not allow model users to verify the model at run-time. Instead, they must trust the service provider, who may tamper with the verification results. In contrast, a public verification approach that considers the possibility of dishonest service providers can benefit a wider range of users. In this paper, we propose PublicCheck, a practical public integrity verification solution for services of run-time deep models. PublicCheck considers dishonest service providers, and overcomes public verification challenges of being lightweight, providing anti-counterfeiting protection, and having fingerprinting samples that appear smooth. To capture and fingerprint the inherent prediction behaviors of a run-time model, PublicCheck generates smoothly transformed and augmented encysted samples that are enclosed around the model's decision boundary while ensuring that the verification queries are indistinguishable from normal queries. PublicCheck is also applicable when knowledge of the target model is limited (e.g., with no knowledge of gradients or model parameters). A thorough evaluation of PublicCheck demonstrates the strong capability for model integrity breach detection (100% detection accuracy with less than 10 black-box API queries) against various model integrity attacks and model compression attacks. PublicCheck also demonstrates the smooth appearance, feasibility, and efficiency of generating a plethora of encysted samples for fingerprinting.

Federated learning is a collaborative method that aims to preserve data privacy while creating AI models. Current approaches to federated learning tend to rely heavily on secure aggregation protocols to preserve data privacy. However, to some degree, such protocols assume that the entity orchestrating the federated learning process (i.e., the server) is not fully malicious or dishonest. We investigate vulnerabilities to secure aggregation that could arise if the server is fully malicious and attempts to obtain access to private, potentially sensitive data. Furthermore, we provide a method to further defend against such a malicious server, and demonstrate effectiveness against known attacks that reconstruct data in a federated learning setting.

Neural networks are susceptible to data inference attacks such as the membership inference attack, the adversarial model inversion attack and the attribute inference attack, where the attacker could infer useful information such as the membership, the reconstruction or the sensitive attributes of a data sample from the confidence scores predicted by the target classifier. In this paper, we propose a method, namely PURIFIER, to defend against membership inference attacks. It transforms the confidence score vectors predicted by the target classifier and makes purified confidence scores indistinguishable in individual shape, statistical distribution and prediction label between members and non-members. The experimental results show that PURIFIER helps defend membership inference attacks with high effectiveness and efficiency, outperforming previous defense methods, and also incurs negligible utility loss. Besides, our further experiments show that PURIFIER is also effective in defending adversarial model inversion attacks and attribute inference attacks. For example, the inversion error is raised about 4+ times on the Facescrub530 classifier, and the attribute inference accuracy drops significantly when PURIFIER is deployed in our experiment.

窃取对受控信息的攻击，以及越来越多的信息泄漏事件，已成为近年来新兴网络安全威胁。由于蓬勃发展和部署先进的分析解决方案，新颖的窃取攻击利用机器学习（ML）算法来实现高成功率并导致大量损坏。检测和捍卫这种攻击是挑战性和紧迫的，因此政府，组织和个人应该非常重视基于ML的窃取攻击。本调查显示了这种新型攻击和相应对策的最新进展。以三类目标受控信息的视角审查了基于ML的窃取攻击，包括受控用户活动，受控ML模型相关信息和受控认证信息。最近的出版物总结了概括了总体攻击方法，并导出了基于ML的窃取攻击的限制和未来方向。此外，提出了从三个方面制定有效保护的对策 - 检测，破坏和隔离。

由于对神经网络的运行推断的计算成本，因此通常需要在第三方的计算环境或硬件上部署推论步骤。如果第三方不完全信任，则需要混淆输入和输出的性质，以便第三方无法轻易确定正在执行哪些特定任务。事实证明，存在利用不受信任的政党的协议，但在实践中运行的计算要求太高了。相反，我们探索了一种不同的快速启发式安全策略，我们称之为连接主义符号伪造秘密。通过利用全息降低表示（HRR），我们创建了一个具有伪加密风格的防御的神经网络，从经验上表现出强大的攻击性，即使在不切实际地偏爱对手的威胁模型下也是如此。

Differentially private federated learning (DP-FL) has received increasing attention to mitigate the privacy risk in federated learning. Although different schemes for DP-FL have been proposed, there is still a utility gap. Employing central Differential Privacy in FL (CDP-FL) can provide a good balance between the privacy and model utility, but requires a trusted server. Using Local Differential Privacy for FL (LDP-FL) does not require a trusted server, but suffers from lousy privacy-utility trade-off. Recently proposed shuffle DP based FL has the potential to bridge the gap between CDP-FL and LDP-FL without a trusted server; however, there is still a utility gap when the number of model parameters is large. In this work, we propose OLIVE, a system that combines the merits from CDP-FL and LDP-FL by leveraging Trusted Execution Environment (TEE). Our main technical contributions are the analysis and countermeasures against the vulnerability of TEE in OLIVE. Firstly, we theoretically analyze the memory access pattern leakage of OLIVE and find that there is a risk for sparsified gradients, which is common in FL. Secondly, we design an inference attack to understand how the memory access pattern could be linked to the training data. Thirdly, we propose oblivious yet efficient algorithms to prevent the memory access pattern leakage in OLIVE. Our experiments on real-world data demonstrate that OLIVE is efficient even when training a model with hundreds of thousands of parameters and effective against side-channel attacks on TEE.

Differentially Private Stochastic Gradient Descent (DP-SGD) is a key method for applying privacy in the training of deep learning models. This applies isotropic Gaussian noise to gradients during training, which can perturb these gradients in any direction, damaging utility. Metric DP, however, can provide alternative mechanisms based on arbitrary metrics that might be more suitable. In this paper we apply \textit{directional privacy}, via a mechanism based on the von Mises-Fisher (VMF) distribution, to perturb gradients in terms of \textit{angular distance} so that gradient direction is broadly preserved. We show that this provides $\epsilon d$-privacy for deep learning training, rather than the $(\epsilon, \delta)$-privacy of the Gaussian mechanism; and that experimentally, on key datasets, the VMF mechanism can outperform the Gaussian in the utility-privacy trade-off.

机器学习与服务（MLAAS）已成为广泛的范式，即使是通过例如，也是客户可用的最复杂的机器学习模型。一个按要求的原则。这使用户避免了数据收集，超参数调整和模型培训的耗时过程。但是，通过让客户访问（预测）模型，MLAAS提供商危害其知识产权，例如敏感培训数据，优化的超参数或学到的模型参数。对手可以仅使用预测标签创建模型的副本，并以（几乎）相同的行为。尽管已经描述了这种攻击的许多变体，但仅提出了零星的防御策略，以解决孤立的威胁。这增加了对模型窃取领域进行彻底系统化的必要性，以全面了解这些攻击是成功的原因，以及如何全面地捍卫它们。我们通过对模型窃取攻击，评估其性能以及探索不同设置中相应的防御技术来解决这一问题。我们为攻击和防御方法提出了分类法，并提供有关如何根据目标和可用资源选择正确的攻击或防御策略的准则。最后，我们分析了当前攻击策略使哪些防御能力降低。

在解决复杂的现实世界任务方面的最新深度学习（DL）进步导致其在实际应用中广泛采用。但是，这个机会具有重大的潜在风险，因为这些模型中的许多模型都依赖于对各种应用程序进行培训的隐私敏感数据，这使它们成为侵犯隐私的过度暴露威胁表面。此外，基于云的机器学习-AS-A-Service（MLAAS）在其强大的基础架构支持方面的广泛使用扩大了威胁表面，以包括各种远程侧渠道攻击。在本文中，我们首先在DL实现中识别并报告了一个新颖的数据依赖性计时侧通道泄漏（称为类泄漏），该实现源自广泛使用的DL Framework Pytorch中的非恒定时间分支操作。我们进一步展示了一个实用的推理时间攻击，其中具有用户特权和硬标签黑盒访问MLAA的对手可以利用类泄漏来损害MLAAS用户的隐私。 DL模型容易受到会员推理攻击（MIA）的攻击，其中对手的目标是推断在训练模型时是否使用过任何特定数据。在本文中，作为一个单独的案例研究，我们证明了具有差异隐私保护的DL模型（对MIA的流行对策）仍然容易受到MIA的影响，而不是针对对手开发的漏洞泄漏。我们通过进行恒定的分支操作来减轻班级泄漏并有助于减轻MIA，从而开发出易于实施的对策。我们选择了两个标准基准图像分类数据集CIFAR-10和CIFAR-100来训练五个最先进的预训练的DL模型，这是在具有Intel Xeon和Intel Xeon和Intel I7处理器的两个不同的计算环境中，以验证我们的方法。

鉴于对机器学习模型的访问，可以进行对手重建模型的培训数据？这项工作从一个强大的知情对手的镜头研究了这个问题，他们知道除了一个之外的所有培训数据点。通过实例化混凝土攻击，我们表明重建此严格威胁模型中的剩余数据点是可行的。对于凸模型（例如Logistic回归），重建攻击很简单，可以以封闭形式导出。对于更常规的模型（例如神经网络），我们提出了一种基于训练的攻击策略，该攻击策略接收作为输入攻击的模型的权重，并产生目标数据点。我们展示了我们对MNIST和CIFAR-10训练的图像分类器的攻击的有效性，并系统地研究了标准机器学习管道的哪些因素影响重建成功。最后，我们从理论上调查了有多差异的隐私足以通过知情对手减轻重建攻击。我们的工作提供了有效的重建攻击，模型开发人员可以用于评估超出以前作品中考虑的一般设置中的个别点的记忆（例如，生成语言模型或访问培训梯度）;它表明，标准模型具有存储足够信息的能力，以实现培训数据点的高保真重建;它表明，差异隐私可以成功减轻该参数制度中的攻击，其中公用事业劣化最小。

我们调查分裂学习的安全 - 一种新颖的协作机器学习框架，通过需要最小的资源消耗来实现峰值性能。在本文中，我们通过介绍客户私人培训集重建的一般攻击策略来揭示议定书的脆弱性并展示其固有的不安全。更突出地，我们表明恶意服务器可以积极地劫持分布式模型的学习过程，并将其纳入不安全状态，从而为客户端提供推动攻击。我们实施不同的攻击调整，并在各种数据集中测试它们以及现实的威胁方案。我们证明我们的攻击能够克服最近提出的防御技术，旨在提高分裂学习议定书的安全性。最后，我们还通过扩展以前设计的联合学习的攻击来说明协议对恶意客户的不安全性。要使我们的结果可重复，我们会在https://github.com/pasquini-dario/splitn_fsha提供的代码。

身份验证系统容易受到模型反演攻击的影响，在这种攻击中，对手能够近似目标机器学习模型的倒数。生物识别模型是这种攻击的主要候选者。这是因为反相生物特征模型允许攻击者产生逼真的生物识别输入，以使生物识别认证系统欺骗。进行成功模型反转攻击的主要限制之一是所需的训练数据量。在这项工作中，我们专注于虹膜和面部生物识别系统，并提出了一种新技术，可大大减少必要的训练数据量。通过利用多个模型的输出，我们能够使用1/10进行模型反演攻击，以艾哈迈德和富勒（IJCB 2020）的训练集大小（IJCB 2020）进行虹膜数据，而Mai等人的训练集大小为1/1000。 （模式分析和机器智能2019）的面部数据。我们将新的攻击技术表示为结构性随机，并损失对齐。我们的攻击是黑框，不需要了解目标神经网络的权重，只需要输出向量的维度和值。为了显示对齐损失的多功能性，我们将攻击框架应用于会员推理的任务（Shokri等，IEEE S＆P 2017），对生物识别数据。对于IRIS，针对分类网络的会员推断攻击从52％提高到62％的准确性。

Deep neural networks are susceptible to various inference attacks as they remember information about their training data. We design white-box inference attacks to perform a comprehensive privacy analysis of deep learning models. We measure the privacy leakage through parameters of fully trained models as well as the parameter updates of models during training. We design inference algorithms for both centralized and federated learning, with respect to passive and active inference attackers, and assuming different adversary prior knowledge.We evaluate our novel white-box membership inference attacks against deep learning algorithms to trace their training data records. We show that a straightforward extension of the known black-box attacks to the white-box setting (through analyzing the outputs of activation functions) is ineffective. We therefore design new algorithms tailored to the white-box setting by exploiting the privacy vulnerabilities of the stochastic gradient descent algorithm, which is the algorithm used to train deep neural networks. We investigate the reasons why deep learning models may leak information about their training data. We then show that even well-generalized models are significantly susceptible to white-box membership inference attacks, by analyzing stateof-the-art pre-trained and publicly available models for the CIFAR dataset. We also show how adversarial participants, in the federated learning setting, can successfully run active membership inference attacks against other participants, even when the global model achieves high prediction accuracies.

员额推理攻击允许对训练的机器学习模型进行对手以预测模型的训练数据集中包含特定示例。目前使用平均案例的“精度”度量来评估这些攻击，该攻击未能表征攻击是否可以自信地识别培训集的任何成员。我们认为，应该通过计算其低（例如<0.1％）假阳性率来计算攻击来评估攻击，并在以这种方式评估时发现大多数事先攻击差。为了解决这一问题，我们开发了一个仔细结合文献中多种想法的似然比攻击（Lira）。我们的攻击是低于虚假阳性率的10倍，并且在攻击现有度量的情况下也严格占主导地位。