Privacy-preserving inference via edge or encrypted computing paradigms encourages users of machine learning services to confidentially run a model on their personal data for a target task and only share the model's outputs with the service provider; e.g., to activate further services. Nevertheless, despite all confidentiality efforts, we show that a ''vicious'' service provider can approximately reconstruct its users' personal data by observing only the model's outputs, while keeping the target utility of the model very close to that of a ''honest'' service provider. We show the possibility of jointly training a target model (to be run at users' side) and an attack model for data reconstruction (to be secretly used at server's side). We introduce the ''reconstruction risk'': a new measure for assessing the quality of reconstructed data that better captures the privacy risk of such attacks. Experimental results on 6 benchmark datasets show that for low-complexity data types, or for tasks with larger number of classes, a user's personal data can be approximately reconstructed from the outputs of a single target inference task. We propose a potential defense mechanism that helps to distinguish vicious vs. honest classifiers at inference time. We conclude this paper by discussing current challenges and open directions for future studies. We open-source our code and results, as a benchmark for future work.
翻译:通过边际或加密计算模式保护隐私的推断鼓励机器学习服务的用户在个人数据模型上秘密运行用于目标任务的模型,并且只与服务供应商分享模型的产出;例如,进一步启动服务。然而,尽管作出了各种保密努力,我们表明,“易用”服务提供商可以通过只观察模型的输出来大致重建其用户的个人数据,同时将模型的目标效用与“诚实”服务提供者的目标效用保持非常接近。我们表明,有可能联合培训一个目标模型(在用户一边运行)和数据重建攻击模型(在服务器一边秘密使用)。我们引入了“重建风险”:一种评估重建数据质量的新措施,以更好地捕捉到这种攻击的隐私风险。6个基准数据集的实验结果显示,对于低兼容性数据类型,或对于更多类服务供应商的任务,用户的个人数据可以与单一目标的推断产出进行大致重建(在用户一边运行)和数据重建攻击模型(在服务器一边秘密使用)。我们提出了“构建风险”:一种评估重建数据质量的新措施,以更好地捕捉到这种攻击的隐私风险。6个基准数据集的实验结果显示,对于低兼容性数据类型数据类型,可以比重一个单一目标的参数,我们提出一个对未来进行公开的争论。我们未来的蓝图进行。我们未来的分析。我们以分析。我们以研究,我们提出一个潜在的格式分析。我们以分析。
相关内容
微信扫码咨询专知VIP会员