Membership Inference Defense Algorithm Based on Neural Network Model

Purposes Focusing on the issue that the machine learning model may leak the privacy of training data during training process, which could be used by membership inference attacks, and then for stealing the sensitive information of users, an Expectation Equilibrium Optimization Algorithm (EEO) based on neural network is proposed. Methods The algorithm adopts the strategy of adversarial training and optimization, and can be divided into two loops: the inner loop assumes a strong enough opponent, whose goal is to maximize the expectation of the attack model; The outer loop conducts defense training in a targeted manner, with the goal of maximizing the expectation of the target model. Small batch gradient descent method is used to minimize the loss value of the inner and outer loops, which not only ensures the accuracy of the model, but also reduces the reasoning ability of adversaries. Findings Three representative image data sets MNIST, FASHION, and Face were used, and EEO was applied to the optimized neural network model for membership inference attack experiments. The test accuracy of the three data sets lost 2.2%, 4.7%, and 3.7%, respectively, while the accuracy of the attack model decreased by 14.6%, 16.5%, and 13.9%, respectively, and had been close to 50%, that is, random guess. Conclusions Experimental results show that the algorithm possesses both high availability and high privacy of the model. Although inevitable privacy leakage will still exist, the trained neural network model has a strong defense effect against membership inference attacks, and the impact on the target model can be ignored.