Privacy Leakage Avoidance with Switching EnsemblesDownload PDFOpen Website

Rauf Izmailov, Peter Lin, Chris Mesterharm, Samyadeep Basu

2021 (modified: 12 Nov 2022)MILCOM 2021Readers: Everyone
Abstract: We consider membership inference attacks, one of the main privacy issues in machine learning. These recently developed attacks have been proven successful in determining, with confidence better than a random guess, whether a given sample belongs to the dataset on which the attacked machine learning model was trained. Several approaches have been developed to mitigate this privacy leakage but the tradeoff performance implications of these defensive mechanisms (i.e., accuracy and utility of the defended machine learning model) are not well studied yet. We propose a novel approach of privacy leakage avoidance with switching ensembles (PASE), which protects against current membership inference attacks and does that with very small accuracy penalty, while requiring acceptable increase in training and inference time. Instead of using disjoint subsets for training the classifiers as in the current state-of-the-art PATE approach, PASE uses significantly overlapping subsets for training the classifiers in the ensemble. The consequence of that distinction is in moving from significantly reduced training sizes (and, correspondingly, reduced accuracy) for individual classifiers to insignificantly reduced training sizes (and, correspondingly, insignificantly reduced accuracy) for individual classifiers. We test our PASE method, along with the the current state-of-the-art PATE approach, on three calibration datasets and analyze their tradeoffs.
0 Replies

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview