面向机器学习的成员推理攻击综述  

作　　者：陈得鹏 刘肖 崔杰[1] 何道敬 CHEN Depeng;LIU Xiao;CUI Jie;HE Daojing(School of Computer Science and Technology,Anhui University,Hefei 230601,China;School of Computer Science and Technology,Harbin Institute of Technology(Shenzhen),Shenzhen,Guangdong 518055,China)

机构地区：[1]安徽大学计算机科学与技术学院,合肥230601 [2]哈尔滨工业大学(深圳)计算机科学与技术学院,广东深圳518055

出　　处：《计算机科学》2023年第1期302-317,共16页Computer Science

基　　金：国家自然科学基金(U1936220,61872001,62011530046)。

摘　　要：随着机器学习的不断发展,特别是在深度学习领域,人工智能已经融入到人们日常生活的方方面面。机器学习模型被部署到多种场景的应用中,提升了传统应用的智能化水平。然而,近年来的研究指出,用于训练机器学习模型的个人数据时常面临隐私泄露的风险。其中,成员推理攻击就是针对机器学习模型威胁用户隐私安全的一种非常重要的攻击方式。成员推理攻击的目的是判断用户数据样本是否被用于训练目标模型(如在医疗、金融等领域的用户数据),从而直接干涉到用户隐私信息。首先介绍了成员推理攻击的相关背景知识,随后对现有的成员推理攻击按照攻击者是否拥有影子模型进行分类,并对成员推理攻击在不同领域的威胁进行了相应的总结。其次,介绍了应对成员推理攻击的防御手段,对现有的防御机制按照模型过拟合、基于模型压缩和基于扰动等策略进行分类和总结。最后,对现有的成员推理攻击和防御机制的优缺点进行了分析,并提出了成员推理攻击的一些潜在的研究方向。Artificial intelligence has been integrated into all aspects of people’s daily lives with the continuous development of machine learning,especially in the deep learning area.Machine learning models are deployed in various applications,enhancing the intelligence of traditional applications.However,in recent years,research has pointed out that personal data used to train machine learning models is vulnerable to the risk of privacy disclosure.Membership inference attacks(MIAs)are significant attacks against the machine learning model that threatens users’privacy.MIA aims to judge whether user data samples are used to train the target model.When the data is closely related to the individual,such as in medical,financial,and other fields,it directly interferes with the user’s private information.This paper first introduces the background knowledge of membership inference attacks.Then,we classify the existing MIAs according to whether the attacker has a shadow model.We also summarize the threats of MIAs in different fields.Also,this paper points out the defense means against MIAs.The existing defense mechanisms are classified and summarized according to the strategies for preventing model overfitting,model-based compression,and disturbance.Finally,this paper analyzes the advantages and disadvantages of the current MIAs and defense mechanisms and proposes possible research directions for future MIAs.

关 键 词：机器学习 隐私保护 成员推理攻击 防御机制 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]