Reducing Model Memorization to Mitigate Membership Inference Attacks

Author

Sheikhjaberi, University of Windsor

Date of Award

2023

Publication Type

Thesis

Degree Name

M.Sc.

Department

Computer Science

Keywords

Entropy, Jacobian Matrix, Knowledge Transfer, Machine Learning, Membership Inference Attack, Privacy-preserving machine learning

Supervisor

D.Alhadidi

Supervisor

M.Firoozjaei

Rights

info:eu-repo/semantics/openAccess

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Abstract

Given a machine learning model and a record, membership inference attacks determine whether this record was used as part of the model’s training dataset. This can raise privacy issues.

There is a desideratum to providing robust mitigation techniques against this attack that will not affect utility. One of the state-of-the-art frameworks in this area is SELENA, which has two phases: Split-AI and Distillation to train a protected model, which by giving non-members behavior to members tries to mitigate membership inference attacks.

In this thesis, we introduce a novel approach to the Split-AI phase, which tries to weaken the membership inference by using the Jacobian matrix norm and entropy. We experimentally demonstrate that by using our approach, we can decrease the memorization of the machine-learning model for two datasets: Purchase100 and CIFAR-10. We experimentally also show that our approach outperforms SELENA by 11.98% and 6.44% in terms of attack recall for Purchase100 and CIFAR-10, respectively.

Recommended Citation

Sheikhjaberi, "Reducing Model Memorization to Mitigate Membership Inference Attacks" (2023). Electronic Theses and Dissertations. 9040.
https://scholar.uwindsor.ca/etd/9040