Saved in:
Bibliographic Details
Main Authors: Mazzone, Federico, Badawi, Ahmad Al, Polyakov, Yuriy, Everts, Maarten, Hahn, Florian, Peter, Andreas
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2409.17283
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910620322889728
author Mazzone, Federico
Badawi, Ahmad Al
Polyakov, Yuriy
Everts, Maarten
Hahn, Florian
Peter, Andreas
author_facet Mazzone, Federico
Badawi, Ahmad Al
Polyakov, Yuriy
Everts, Maarten
Hahn, Florian
Peter, Andreas
contents The notion that collaborative machine learning can ensure privacy by just withholding the raw data is widely acknowledged to be flawed. Over the past seven years, the literature has revealed several privacy attacks that enable adversaries to extract information about a model's training dataset by exploiting access to model parameters during or after training. In this work, we study privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model. The findings of our investigation provide new insights for the development of privacy-preserving collaborative learning solutions. We deploy SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks. Our solution offers a trade-off between privacy and efficiency, which varies based on the extent and selection of the model components we choose to protect. We explore it on dense neural networks, where through extensive evaluation of diverse datasets and architectures, we uncover instances where a favorable sweet spot in the trade-off can be achieved by safeguarding only a single layer of the network. In one of such instances, our approach trains ~4 times faster compared to fully encrypted solutions, while reducing membership leakage by 17.8 times compared to plaintext solutions.
format Preprint
id arxiv_https___arxiv_org_abs_2409_17283
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Investigating Privacy Attacks in the Gray-Box Setting to Enhance Collaborative Learning Schemes
Mazzone, Federico
Badawi, Ahmad Al
Polyakov, Yuriy
Everts, Maarten
Hahn, Florian
Peter, Andreas
Cryptography and Security
The notion that collaborative machine learning can ensure privacy by just withholding the raw data is widely acknowledged to be flawed. Over the past seven years, the literature has revealed several privacy attacks that enable adversaries to extract information about a model's training dataset by exploiting access to model parameters during or after training. In this work, we study privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model. The findings of our investigation provide new insights for the development of privacy-preserving collaborative learning solutions. We deploy SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks. Our solution offers a trade-off between privacy and efficiency, which varies based on the extent and selection of the model components we choose to protect. We explore it on dense neural networks, where through extensive evaluation of diverse datasets and architectures, we uncover instances where a favorable sweet spot in the trade-off can be achieved by safeguarding only a single layer of the network. In one of such instances, our approach trains ~4 times faster compared to fully encrypted solutions, while reducing membership leakage by 17.8 times compared to plaintext solutions.
title Investigating Privacy Attacks in the Gray-Box Setting to Enhance Collaborative Learning Schemes
topic Cryptography and Security
url https://arxiv.org/abs/2409.17283