In privacy-preserving machine learning, it is common that the owner of the learned model does not have any physical access to the data. Instead, only a secured remote access to a data lake is granted to the model owner without any ability to retrieve data from the data lake. Yet, the model owner may want to export the trained model periodically from the remote repository and a question arises whether this may cause is a risk of data leakage. In this paper, we introduce the concept of data stealing attack during the export of neural networks. It consists in hiding some information in the exported network that allows the reconstruction outside the data lake of images initially stored in that data lake. More precisely, we show that it is possible to train a network that can perform lossy image compression and at the same time solve some utility tasks such as image segmentation. The attack then proceeds by exporting the compression decoder network together with some image codes that leads to the image reconstruction outside the data lake. We explore the feasibility of such attacks on databases of CT and MR images, showing that it is possible to obtain perceptually meaningful reconstructions of the target dataset, and that the stolen dataset can be used in turns to solve a broad range of tasks. Comprehensive experiments and analyses show that data stealing attacks should be considered as a threat for sensitive imaging data sources.
翻译:在保护隐私的机器学习中,常见的情况是,所学模型的拥有者无法实际获取数据。相反,只允许模型拥有者安全地远程访问数据湖,而没有从数据湖检索数据的能力。然而,模型拥有者可能希望定期从远程存储库输出经过培训的模型,并由此产生一个问题:这是否可能导致数据泄漏的风险。在本文件中,我们引入了在导出神经网络期间进行数据盗窃攻击的概念。它包括在出口的网络中隐藏一些信息,以便能够在数据湖外重建最初储存在该数据湖内的图像。更准确地说,我们表明,有可能培训一个能够进行丢失图像压缩并同时解决图像分割等一些实用任务的网络。然后,通过输出压缩解码网络和一些图像代码进行攻击,从而导致数据湖外图像重建。我们在CT和MR图像数据库中探索这种攻击的可行性,表明有可能在数据湖外重建最初储存的图像。更准确地说,我们表明,有可能培训一个能够进行丢失图像压缩的网络,同时解决图像分割等一些工具的任务。然后,通过将窃取的数据元数据集用于进行广泛的威胁分析。