A Novel Self-Distillation Architecture to Defeat Membership Inference AttacksDownload PDF

Sep 17, 2021PRIML 2021 PosterReaders: Everyone
  • Keywords: Data privacy, Inference attacks, Membership privacy
  • TL;DR: This work proposes a new membership inference defense through self-distillation from an adaptive inference among sub-models.
  • Abstract: Membership inference attacks are a key measure to evaluate privacy leakage in machine learning (ML) models, which aim to distinguish training members from non-members by exploiting differential behavior of the models on member and non-member inputs. We propose a new framework to train privacy-preserving models that induces similar behavior on member and non-member inputs to mitigate practical membership inference attacks. Our framework, called SELENA, has two major components. The first component and the core of our defense, called Split-AI, is a novel ensemble architecture for training. We prove that our Split-AI architecture defends against a large family of membership inference attacks, however, it is susceptible to new adaptive attacks. Therefore, we use a second component in our framework called Self-Distillation to protect against such stronger attacks, which (self-)distills the training dataset through our Split-AI ensemble and has no reliance on external public datasets. We perform extensive experiments on major benchmark datasets and the results show that our approach achieves a better trade-off between membership privacy and utility compared to previous defenses.
  • Paper Under Submission: The paper is NOT under submission at NeurIPS
1 Reply