Litcius/Paper detail

Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets

Florian Tramèr, Reza Shokri, Ayrton San Joaquin, Hoang Le, Matthew Jagielski, Sanghyun Hong, Nicholas Carlini

2022Repository for Publications and Research Data (ETH Zurich)14 citationsDOIOpen Access PDF

Abstract

We introduce a new class of attacks on machine learning models. We show that an adversary who can poison a training dataset can cause models trained on this dataset to leak significant private details of training points belonging to other parties. Our active inference attacks connect two independent lines of work targeting the integrity and privacy of machine learning training data. Our attacks are effective across membership inference, attribute inference, and data extraction. For example, our targeted attacks can poison <0.1% of the training dataset to boost the performance of inference attacks by 1 to 2 orders of magnitude. Further, an adversary who controls a significant fraction of the training data (e.g., 50%) can launch untargeted attacks that enable 8x more precise inference on all other users' otherwise-private data points. Our results cast doubts on the relevance of cryptographic privacy guarantees in multiparty computation protocols for machine learning, if parties can arbitrarily select their share of training data.

Topics & Concepts

AdversaryInferenceComputer scienceMachine learningRelevance (law)Artificial intelligenceComputer securityClass (philosophy)Training setCryptographyFraction (chemistry)ComputationAlgorithmLawOrganic chemistryChemistryPolitical sciencePrivacy-Preserving Technologies in DataAdversarial Robustness in Machine LearningCryptography and Data Security
Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets | Litcius