{"title":"机器学习中的成员推理攻击和防御调查","authors":"","doi":"10.1016/j.jiixd.2024.02.001","DOIUrl":null,"url":null,"abstract":"<div><p>Membership inference (MI) attacks mainly aim to infer whether a data record was used to train a target model or not. Due to the serious privacy risks, MI attacks have been attracting a tremendous amount of attention in the research community. One existing work conducted — to our best knowledge — the first dedicated survey study in this specific area: The survey provides a comprehensive review of the literature during the period of 2017∼2021 (e.g., over 100 papers). However, due to the tremendous amount of progress (i.e., 176 papers) made in this area since 2021, the survey conducted by the one existing work has unfortunately already become very limited in the following two aspects: (1) Although the entire literature from 2017∼2021 covers 18 ways to categorize (all the proposed) MI attacks, the literature during the period of 2017∼2021, which was reviewed in the one existing work, only covered 5 ways to categorize MI attacks. With 13 ways missing, the survey conducted by the one existing work only covers 27% of the landscape (in terms of how to categorize MI attacks) if a retrospective view is taken. (2) Since the literature during the period of 2017∼2021 only covers 27% of the landscape (in terms of how to categorize), the number of new insights (i.e., why an MI attack could succeed) behind all the proposed MI attacks has been significantly increasing since year 2021. As a result, although none of the previous work has made the insights as a main focus of their studies, we found that the various insights leveraged in the literature can be broken down into 10 groups. Without making the insights as a main focus, a survey study could fail to help researchers gain adequate intellectual depth in this area of research. In this work, we conduct a systematic study to address these limitations. In particular, in order to address the first limitation, we make the 13 newly emerged ways to categorize MI attacks as a main focus on the study. In order to address the second limitation, we provide — to our best knowledge — the first review of the various insights leveraged in the entire literature. We found that the various insights leveraged in the literature can be broken down into 10 groups. Moreover, our survey also provides a comprehensive review of the existing defenses against MI attacks, the existing applications of MI attacks, the widely used datasets (e.g., 107 new datasets), and the evaluation metrics (e.g., 20 new evaluation metrics).</p></div>","PeriodicalId":100790,"journal":{"name":"Journal of Information and Intelligence","volume":"2 5","pages":"Pages 404-454"},"PeriodicalIF":0.0000,"publicationDate":"2024-03-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2949715924000064/pdfft?md5=a51bb65bff0598f8d5676e4453da8337&pid=1-s2.0-S2949715924000064-main.pdf","citationCount":"0","resultStr":"{\"title\":\"A survey on membership inference attacks and defenses in machine learning\",\"authors\":\"\",\"doi\":\"10.1016/j.jiixd.2024.02.001\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Membership inference (MI) attacks mainly aim to infer whether a data record was used to train a target model or not. Due to the serious privacy risks, MI attacks have been attracting a tremendous amount of attention in the research community. One existing work conducted — to our best knowledge — the first dedicated survey study in this specific area: The survey provides a comprehensive review of the literature during the period of 2017∼2021 (e.g., over 100 papers). However, due to the tremendous amount of progress (i.e., 176 papers) made in this area since 2021, the survey conducted by the one existing work has unfortunately already become very limited in the following two aspects: (1) Although the entire literature from 2017∼2021 covers 18 ways to categorize (all the proposed) MI attacks, the literature during the period of 2017∼2021, which was reviewed in the one existing work, only covered 5 ways to categorize MI attacks. With 13 ways missing, the survey conducted by the one existing work only covers 27% of the landscape (in terms of how to categorize MI attacks) if a retrospective view is taken. (2) Since the literature during the period of 2017∼2021 only covers 27% of the landscape (in terms of how to categorize), the number of new insights (i.e., why an MI attack could succeed) behind all the proposed MI attacks has been significantly increasing since year 2021. As a result, although none of the previous work has made the insights as a main focus of their studies, we found that the various insights leveraged in the literature can be broken down into 10 groups. Without making the insights as a main focus, a survey study could fail to help researchers gain adequate intellectual depth in this area of research. In this work, we conduct a systematic study to address these limitations. In particular, in order to address the first limitation, we make the 13 newly emerged ways to categorize MI attacks as a main focus on the study. In order to address the second limitation, we provide — to our best knowledge — the first review of the various insights leveraged in the entire literature. We found that the various insights leveraged in the literature can be broken down into 10 groups. Moreover, our survey also provides a comprehensive review of the existing defenses against MI attacks, the existing applications of MI attacks, the widely used datasets (e.g., 107 new datasets), and the evaluation metrics (e.g., 20 new evaluation metrics).</p></div>\",\"PeriodicalId\":100790,\"journal\":{\"name\":\"Journal of Information and Intelligence\",\"volume\":\"2 5\",\"pages\":\"Pages 404-454\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-03-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://www.sciencedirect.com/science/article/pii/S2949715924000064/pdfft?md5=a51bb65bff0598f8d5676e4453da8337&pid=1-s2.0-S2949715924000064-main.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information and Intelligence\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2949715924000064\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information and Intelligence","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2949715924000064","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
摘要
成员推断(MI)攻击的主要目的是推断数据记录是否用于训练目标模型。由于存在严重的隐私风险,MI 攻击在研究界引起了极大的关注。据我们所知,现有的一项工作是首次对这一特定领域进行专门调查研究:该调查对 2017-2021 年间的文献(如 100 多篇论文)进行了全面回顾。然而,由于 2021 年以来该领域取得的巨大进步(即 176 篇论文),现有的一项工作所进行的调查在以下两个方面已经变得非常有限:(1) 虽然 2017-2021 年期间的全部文献涵盖了 18 种 MI 攻击的分类方法(所有提议的),但现有的一项工作所回顾的 2017-2021 年期间的文献仅涵盖了 5 种 MI 攻击的分类方法。由于缺少 13 种方法,如果从回顾的角度来看,现有的一项工作所进行的调查只涵盖了(如何对 MI 攻击进行分类的)27% 的情况。(2)由于 2017 年至 2021 年期间的文献只覆盖了 27%的领域(在如何分类方面),因此自 2021 年以来,所有提出的 MI 攻击背后的新见解(即 MI 攻击为何能够成功)的数量一直在显著增加。因此,尽管之前的研究都没有将洞察力作为研究重点,但我们发现,文献中利用的各种洞察力可分为 10 组。如果不把洞察力作为研究重点,调查研究可能无法帮助研究人员在这一研究领域获得足够的知识深度。在这项工作中,我们针对这些局限性开展了一项系统研究。其中,针对第一个局限,我们将新出现的 13 种 MI 攻击分类方法作为研究重点。为了解决第二个局限性,据我们所知,我们首次对整个文献中利用的各种见解进行了回顾。我们发现,文献中的各种见解可分为 10 组。此外,我们的调查还全面回顾了针对 MI 攻击的现有防御、MI 攻击的现有应用、广泛使用的数据集(如 107 个新数据集)和评估指标(如 20 个新评估指标)。
A survey on membership inference attacks and defenses in machine learning
Membership inference (MI) attacks mainly aim to infer whether a data record was used to train a target model or not. Due to the serious privacy risks, MI attacks have been attracting a tremendous amount of attention in the research community. One existing work conducted — to our best knowledge — the first dedicated survey study in this specific area: The survey provides a comprehensive review of the literature during the period of 2017∼2021 (e.g., over 100 papers). However, due to the tremendous amount of progress (i.e., 176 papers) made in this area since 2021, the survey conducted by the one existing work has unfortunately already become very limited in the following two aspects: (1) Although the entire literature from 2017∼2021 covers 18 ways to categorize (all the proposed) MI attacks, the literature during the period of 2017∼2021, which was reviewed in the one existing work, only covered 5 ways to categorize MI attacks. With 13 ways missing, the survey conducted by the one existing work only covers 27% of the landscape (in terms of how to categorize MI attacks) if a retrospective view is taken. (2) Since the literature during the period of 2017∼2021 only covers 27% of the landscape (in terms of how to categorize), the number of new insights (i.e., why an MI attack could succeed) behind all the proposed MI attacks has been significantly increasing since year 2021. As a result, although none of the previous work has made the insights as a main focus of their studies, we found that the various insights leveraged in the literature can be broken down into 10 groups. Without making the insights as a main focus, a survey study could fail to help researchers gain adequate intellectual depth in this area of research. In this work, we conduct a systematic study to address these limitations. In particular, in order to address the first limitation, we make the 13 newly emerged ways to categorize MI attacks as a main focus on the study. In order to address the second limitation, we provide — to our best knowledge — the first review of the various insights leveraged in the entire literature. We found that the various insights leveraged in the literature can be broken down into 10 groups. Moreover, our survey also provides a comprehensive review of the existing defenses against MI attacks, the existing applications of MI attacks, the widely used datasets (e.g., 107 new datasets), and the evaluation metrics (e.g., 20 new evaluation metrics).
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
