In this study, we analyze model inversion attacks with only two assumptions: feature vectors of user data are known, and a black-box API for inference is provided. On the one hand, limitations of existing studies are addressed by opting for a more practical setting. Experiments have been conducted on state-of-the-art models in person re-identification, and two attack scenarios (i.e., recognizing auxiliary attributes and reconstructing user data) are investigated. Results show that an adversary could successfully infer sensitive information even under severe constraints. On the other hand, it is advisable to encrypt feature vectors, especially for a machine learning model in production. As an alternative to traditional encryption methods such as AES, a simple yet effective method termed ShuffleBits is presented. More specifically, the binary sequence of each floating-point number gets shuffled. Deployed using the one-time pad scheme, it serves as a plug-and-play module that is applicable to any neural network, and the resulting model directly outputs deep features in encrypted form. Source code is publicly available at https://github.com/nixingyang/ShuffleBits.
翻译:在这项研究中,我们只分析了两种假设的反向攻击模型:已知用户数据的特点矢量,并提供了一个用于推断的黑盒 API。一方面,通过选择更实用的环境来解决现有研究的局限性。已经对人中最先进的模型进行了实验,对两种攻击情景(即承认辅助属性和重建用户数据)进行了调查。结果显示对手即使在受到严重限制的情况下也能成功地推断出敏感信息。另一方面,最好对特性矢量进行加密,特别是机器学习模型。作为传统加密方法的替代方法,例如AES, 一种简单而有效的方法,称为 ShuffleBits。更具体地说,每个浮点数的二进制序列会被震撼动。使用一次性垫子方案进行部署,它是一个插件模块,适用于任何神经网络,因此产生的模型直接输出加密形式的深层特征。源代码可在https://github.com/nixyang/Shuffleits公开查阅。
相关内容
微信扫码咨询专知VIP会员