As machine learning (ML) becomes more and more powerful and easily accessible, attackers increasingly leverage ML to perform automated large-scale inference attacks in various domains. In such an ML-equipped inference attack, an attacker has access to some data (called public data) of an individual, a software, or a syst em; and the attacker uses an ML classifier to automatically infer their private data. Inference attacks pose severe privacy and security threats to individuals and systems. Inference attacks are successful because private data are statistically correlated with public data, and ML classifiers can capture such statistical correlations. In this poster, we discuss the defense against ML-equipped inference attacks via adversarial examples. Our key observation is that attackers rely on ML classifiers in inference attacks. The adversarial machine learning community has demonstrated that ML classifiers have various vulnerabilities. Therefore, we can turn the vulnerabilities of ML into defenses against inference attacks. For example, ML classifiers are vulnerable to adversarial examples, which add carefully crafted noise to normal examples such that an ML classifier makes predictions for the examples as we desire. To defend against inference attacks, we can add carefully crafted noise into the public data to turn them into adversarial examples, such that attackers’ classifiers make incorrect predictions for the private data. However, existing methods to construct adversarial examples are insufficient because they did not consider the unique challenges and requirements for the crafted noise at defending against inference attacks. In this poster, we take defending against inference attacks in online social network as an example to illustrate the deceptive mechanisms.

1. Defending against Machine Learning based
Inference Attacks using Adversarial Examples
Jinyuan Jia, Neil Zhenqiang Gong
Department of Electrical and Computer Engineering
1

2. Machine Learning based Inference Attacks
Input: User’s public data
Output: User’s private data
Private data and public data are statistically correlated
Machine
learning
classifier
Public data Private data
(Public data, Private data)
2

3. Machine Learning based Inference Attacks are Pervasive
Attribute inference attacks
Public: Rating scores, page likes, social friends.
Private: Age, gender, political view
Author identification attacks
Public: Text document, program
Private: Author identity
Website fingerprinting attacks
Public: Network traffic
Private: Websites
Membership inference attacks
Public: Confidence scores, gradients
Private: Member/Non-member 3

4. Threat Model
True public data
DefenderUser Attacker
Noisy public data Private data
4

5. Challenges
The defender doesn’t know the attacker’s classifier
The defender itself learn a classifier
Transferability: similar classification boundaries
Satisfy utility constraints
Find a mechanism to add random noise
 is the conditional probability that defender will add noise to user’s
true public data
Sample from to add noise
5
M
*
( | )M r x r
x
M

6. Overview
Challenge to find the mechanism :
The probabilistic mapping is exponential to the
dimensionality of
Categorize noise space into groups to solve the challenge…
0x+r
1x+r
ix+r
1ix+r
…
1nk 
x +r
2n
k 
x +r
mapping
… Class 1
Class 2
Class m
Output of
Output of
Output of
6
M

7. Two-Phase Framework
Phase I: For each noise group, find a minimum noise as representative
noise
Phase II: Simplify the mechanism to be a probability distribution
over representative noise
7

8. Thanks
• Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang
Gong. "MemGuard: Defending against Black-Box Membership Inference Attacks
via Adversarial Examples". In ACM Conference on Computer and Communications
Security (CCS), 2019.
• Jinyuan Jia and Neil Zhenqiang Gong. "AttriGuard: A Practical Defense Against
Attribute Inference Attacks via Adversarial Machine Learning". In USENIX Security
Symposium, 2018.
8