Transfer learning through the use of pre-trained models has become a growing trend for the machine learning community. Consequently, numerous pre-trained models are released online to facilitate further research. However, it raises extensive concerns on whether these pre-trained models would leak privacy-sensitive information of their training data. Thus, in this work, we aim to answer the following questions: "Can we effectively recover private information from these pre-trained models? What are the sufficient conditions to retrieve such sensitive information?" We first explore different statistical information which can discriminate the private training distribution from other distributions. Based on our observations, we propose a novel private data reconstruction framework, SecretGen, to effectively recover private information. Compared with previous methods which can recover private data with the ground true prediction of the targeted recovery instance, SecretGen does not require such prior knowledge, making it more practical. We conduct extensive experiments on different datasets under diverse scenarios to compare SecretGen with other baselines and provide a systematic benchmark to better understand the impact of different auxiliary information and optimization operations. We show that without prior knowledge about true class prediction, SecretGen is able to recover private data with similar performance compared with the ones that leverage such prior knowledge. If the prior knowledge is given, SecretGen will significantly outperform baseline methods. We also propose several quantitative metrics to further quantify the privacy vulnerability of pre-trained models, which will help the model selection for privacy-sensitive applications. Our code is available at: https://github.com/AI-secure/SecretGen.
翻译:通过使用经过预先培训的模型进行转移学习已成为机器学习界日益增长的趋势。因此,许多经过培训的模型在网上发布,以便利进一步的研究。然而,这引起了广泛的关注,即这些经过培训的模型是否会泄露其培训数据中的隐私敏感信息。因此,在这项工作中,我们的目标是回答下列问题:“我们能否从这些经过事先培训的模型中有效地恢复私人信息?什么是检索这种敏感信息的充足条件?”我们首先探索能够区分私人培训分布与其他发行的敏感信息的不同统计资料。根据我们的观察,我们提议建立一个新的私人数据重建框架,即秘密Gen,以有效恢复私人信息。与以前能够恢复私人数据的方法相比,秘密Gen并不需要这种先前的知识,使之更加实用。我们在不同情况下对不同的数据集进行广泛的实验,以便将秘密Gen与其他基线进行比较,并提供一个系统的基准,以更好地了解不同辅助信息/优化行动的影响。我们显示,如果没有事先对真实的类别预测,秘密Gen能够以类似的业绩恢复私人数据,而先前的准确性应用则比先前的机密性基本知识更精确。我们还会提出一些量化的方法。