[IJACAI’22]

• Recently, many data privacy regulations and legislations such as GDPR (General Data Protection Regulation) [and CCPA (California Consumer Privacy Act) have been issued to protect individuals’ data and privacy.

​

• Especially, such regulations grant individuals the right to be forgotten.

​

• It is an important and urgent task now to utilize computing technology to fulfill this entitled right.

​

• The MU concept has emerged.

: Machine Unlearning works mainly focus on how to eliminate the contribution of a training sample to the model.

​

• Prior to requesting machine unlearning, however, it is often the case in the real world that a data owner encounters the great difficulty in telling whether her data have been collected and used to build the model.

🡪 Before requesting MU, it is necessary to verify whether one's own data samples have been trained on the Target model first.

​

Motivation

• In this paper,
• Study a less-recognized but important new problem in an essential step prior to machine unlearning, proposing a novel approach named Membership Inference via Backdooring (MIB) to enable a data owner to infer whether her data have been used to train a model with marking only a small number of samples.

​

• Innovatively utilize hypothesis testing in MIB to offer statistical guarantees for the inference results with only black-box access to the target model

​

Introduction

• Attacker Knowledges
• Black-box access

: The data owner has only black-box access to the target model

​

• Access to data owner’s data samples

: The data owner can actively add markers to her data samples because she has full control and knowledge of her data

​

MIB

Threat Model

MIB

Sample generation:

MIB

STEP1. Generating Marked Data

p: trigger

g: Backdoor-sample-generation function:

​

x’ : backdoor sample

yt : target label

Pr : attack success probability

MIB

STEP1. Generating Marked Data

Backdoor-sample-generation function:

: element-wise product

v is a mapping parameter that has the same form as x with each element ranges in [0, 1].

If an unauthorized party includes these marked samples to the training dataset to train a DNN model,

the model will finally learn the correlation between the trigger and the target label, i.e., the model will be backdoored.

Best practice:

MIB

STEP2. Traning

• An unauthorized party collects data from the data owner in two ways:

​

• If the data is kept private by the data owner, it may be secretly stolen and collected.
• If the data is kept public by the data owner, it may be collected from the internet.

​

• The unauthorized party then uses the collected data to train models.

MIB

STEP3. Membership Inference.

• The data owner can claim membership to her data by verifying whether the target model has been backdoored.

​

• To provide a statistical guarantee with the membership inference results, adopt statistical testing with the ability to estimate the level of confidence to test whether the target model is backdoored or not.

​

• Implement a hypothesis testing to verify whether the target model is backdoored or not.

represents the backdoor attack success probability of the target model.

β represents the backdoor attack success probability of a clean model.

β = 1/K (i.e., random chance), K : number of classes

MIB

STEP3. Membership Inference.

• H0: the backdoor attack success probability is smaller than or equal to random chance.
• H1: the backdoor attack success probability is larger than random chance
• If the data owner can reject the null hypothesis H0 with statistical guarantees, she can claim that her data was used to train the target model.

• ASR (Attack Success Rate) is an estimate of the probability of a successful backdoor attack.

→ How large does the ASR need to be to reject H0?

MIB

Theoretical Analysis

• Perform hypothesis testing using the t-test [Montgomery and Runger, 2010].
• The data owner can reject H0 at a significance level (1-τ, τ: confidence level) with a limited number of queries.

where β(= 1/K) and tτ is the τ quantile of the t distribution with m − 1 degrees of freedom.

• If the ASR (Attack Success Rate) of the target model exceeds a threshold, the data owner can reject H0 at a significance level of (1 - τ) with m queries.

​

🡪 With a limited number of queries, the data owner can claim membership of her data with τ confidence when the ASR value for the target model is sufficiently high.

​

*m : number of query