BAN - MPR: Defending against Membership Inference Attacks with Born Again Networks and Membership Privacy Regularization

Abstract

Membership inference attack (MIA) is one of the data security issues faced by machine learning, that is, an attacker infers whether a specific sample exists in the training set based on the output of the model. There are quite a few methods have been proposed to defend against MIAs such as differential privacy, distillation and adversarial regularization, etc. However, due to the addition of too conservative noise, differential privacy leads to a sharp drop in model utility, which cannot achieve the trade-off between utility and security. For defending against MIAs, distillation often needs external data. Adversarial regularization makes strong assumptions about the attack model, so such this defense is usually limited to specific attacks. To overcome these deficiencies, in this work, we adopt the architecture of BAN (Born Again Neural Networks) as our defending framework to preserve model utility, and design MPR (Membership Privacy Regularization) to resist various forms of MIAs. In short, we propose a new method to defend against MIAs in the black-box setting, named BAN-MPR (a membership inference attacks defense method with Born Again Network and Membership Privacy Regularization). First of all, we create multiple subsets through data augmentation and partition, then use the distillation method of BAN, combined with MPR to train a series of student models on their respective subsets, and finally the results of the current sample in all the student models are simply integrated as the final output of the prediction stage. Our experiments show BAN-MPR achieves a better trade-off between model utility and security. It can mitigate the risks of MIAs (near random guess), and can achieve this with a negligible drop in model's utility (less than 3.5%).