Neural network pruning has been an essential technique to reduce the computation and memory requirements for using deep neural networks for resource-constrained devices. Most existing research focuses primarily on balancing the sparsity and accuracy of a pruned neural network by strategically removing insignificant parameters and retraining the pruned model. Such efforts on reusing training samples pose serious privacy risks due to increased memorization, which, however, has not been investigated yet. In this paper, we conduct the first analysis of privacy risks in neural network pruning. Specifically, we investigate the impacts of neural network pruning on training data privacy, i.e., membership inference attacks. We first explore the impact of neural network pruning on prediction divergence, where the pruning process disproportionately affects the pruned model's behavior for members and non-members. Meanwhile, the influence of divergence even varies among different classes in a fine-grained manner. Enlighten by such divergence, we proposed a self-attention membership inference attack against the pruned neural networks. Extensive experiments are conducted to rigorously evaluate the privacy impacts of different pruning approaches, sparsity levels, and adversary knowledge. The proposed attack shows the higher attack performance on the pruned models when compared with eight existing membership inference attacks. In addition, we propose a new defense mechanism to protect the pruning process by mitigating the prediction divergence based on KL-divergence distance, whose effectiveness has been experimentally demonstrated to effectively mitigate the privacy risks while maintaining the sparsity and accuracy of the pruned models.
翻译:神经网络修补是降低使用资源限制装置的深神经网络使用深度神经网络的计算和记忆要求的一项基本技术。 大部分现有研究主要侧重于通过从战略上删除无关紧要的参数和再修修修修修修修的模型来平衡修剪的神经网络的广度和准确性。 重新使用培训样本的努力由于记忆化程度的提高而造成严重的隐私风险, 然而还没有对此进行调查。 在本文件中,我们首次分析了神经网络运行对资源限制装置使用深神经网络的计算和记忆要求。 具体地说,我们调查神经网络运行对培训数据隐私的影响, 即: 会员的准确性攻击。 我们首先探讨神经网络运行对预测差异的广度和准确性的影响, 运行过程对修剪的模型对成员和非成员的行为产生过大的影响。 同时, 差异在不同类别之间的影响, 细微分析。 由于这种差异,我们提议以自留成员身份为基础对经修补的神经网络进行攻击进行推导。 广泛实验正在严格评估神经网络对预测差异的影响, 并且对不同的攻击程度进行精确评估。 Kruntal Produstring view view view Produstring Production Produstring Production Production Production 方法对不同的攻击 Production Production view view view view view view view view view view view view