NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples

Xueluan Gong; Ziyao Wang; Yanjiao Chen; Qian Wang; Cong Wang; Chao Shen

doi:10.1145/3543507.3583224

NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples

Xueluan Gong
, Ziyao Wang
, Yanjiao Chen^*
, Qian Wang^*
, Cong Wang
, Chao Shen

^*Corresponding author for this work

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

7 Citations (Scopus)

Abstract

Recently more and more cloud service providers (e.g., Microsoft, Google, and Amazon) have commercialized their well-trained deep learning models by providing limited access via web API interfaces. However, it is shown that these APIs are susceptible to model inversion attacks, where attackers can recover the training data with high fidelity, which may cause serious privacy leakage.Existing defenses against model inversion attacks, however, hinder the model performance and are ineffective for more advanced attacks, e.g., Mirror [4]. In this paper, we proposed NetGuard, a novel utility-aware defense methodology against model inversion attacks (MIAs). Unlike previous works that perturb prediction outputs of the victim model, we propose to mislead the MIA effort by inserting engineered fake samples during the training process. A generative adversarial network (GAN) is carefully built to construct fake training samples to mislead the attack model without degrading the performance of the victim model. Besides, we adopt continual learning to further improve the utility of the victim model. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets show that NetGuard is superior to existing defenses, including DP [37] and Ad-mi [32] on state-of-the-art model inversion attacks, i.e., DMI [8], Mirror [4], Privacy [12], and Alignment [34]. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

Original language	English
Title of host publication	WWW '23: Proceedings of the ACM Web Conference 2023
Publisher	Association for Computing Machinery
Pages	2045-2053
ISBN (Print)	9781450394161
DOIs	https://doi.org/10.1145/3543507.3583224
Publication status	Published - Apr 2023
Event	ACM Web Conference 2023 (WWW '23) - Hybrid, Austin, United States Duration: 30 Apr 2023 → 4 May 2023 https://www2023.thewebconf.org/

Publication series

Name	ACM Web Conference - Proceedings of the World Wide Web Conference, WWW

Conference

Conference	ACM Web Conference 2023 (WWW '23)
Abbreviated title	WWW '23
Place	United States
City	Austin
Period	30/04/23 → 4/05/23
Internet address	https://www2023.thewebconf.org/

Bibliographical note

Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).

Funding

Qian Wang’s work was partially supported by the National Key R&D Program of China (2020AAA0107701) and the NSFC under Grants U20B2049 and U21B2018. Yanjiao’s research is partially supported by the National Natural Science Foundation of China under Grant 61972296.

Research Keywords

Model inversion attacks
Privacy-utility defense framework
Secure web service

Access Output

10.1145/3543507.3583224

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Gong, X., Wang, Z., Chen, Y., Wang, Q., Wang, C., & Shen, C. (2023). NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples. In WWW '23: Proceedings of the ACM Web Conference 2023 (pp. 2045-2053). (ACM Web Conference - Proceedings of the World Wide Web Conference, WWW ). Association for Computing Machinery. https://doi.org/10.1145/3543507.3583224

@inproceedings{b34f90a38f574ae88f62a37045de2fcd,

title = "NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples",

abstract = "Recently more and more cloud service providers (e.g., Microsoft, Google, and Amazon) have commercialized their well-trained deep learning models by providing limited access via web API interfaces. However, it is shown that these APIs are susceptible to model inversion attacks, where attackers can recover the training data with high fidelity, which may cause serious privacy leakage.Existing defenses against model inversion attacks, however, hinder the model performance and are ineffective for more advanced attacks, e.g., Mirror [4]. In this paper, we proposed NetGuard, a novel utility-aware defense methodology against model inversion attacks (MIAs). Unlike previous works that perturb prediction outputs of the victim model, we propose to mislead the MIA effort by inserting engineered fake samples during the training process. A generative adversarial network (GAN) is carefully built to construct fake training samples to mislead the attack model without degrading the performance of the victim model. Besides, we adopt continual learning to further improve the utility of the victim model. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets show that NetGuard is superior to existing defenses, including DP [37] and Ad-mi [32] on state-of-the-art model inversion attacks, i.e., DMI [8], Mirror [4], Privacy [12], and Alignment [34]. {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.",

keywords = "Model inversion attacks, Privacy-utility defense framework, Secure web service",

author = "Xueluan Gong and Ziyao Wang and Yanjiao Chen and Qian Wang and Cong Wang and Chao Shen",

note = "Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).; ACM Web Conference 2023 (WWW '23), WWW '23 ; Conference date: 30-04-2023 Through 04-05-2023",

year = "2023",

month = apr,

doi = "10.1145/3543507.3583224",

language = "English",

isbn = "9781450394161",

series = "ACM Web Conference - Proceedings of the World Wide Web Conference, WWW ",

publisher = "Association for Computing Machinery",

pages = "2045--2053",

booktitle = "WWW '23: Proceedings of the ACM Web Conference 2023",

address = "United States",

url = "https://www2023.thewebconf.org/",

}

Gong, X, Wang, Z, Chen, Y, Wang, Q, Wang, C & Shen, C 2023, NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples. in WWW '23: Proceedings of the ACM Web Conference 2023. ACM Web Conference - Proceedings of the World Wide Web Conference, WWW , Association for Computing Machinery, pp. 2045-2053, ACM Web Conference 2023 (WWW '23), Austin, Texas, United States, 30/04/23. https://doi.org/10.1145/3543507.3583224

NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples. / Gong, Xueluan; Wang, Ziyao; Chen, Yanjiao et al.
WWW '23: Proceedings of the ACM Web Conference 2023. Association for Computing Machinery, 2023. p. 2045-2053 (ACM Web Conference - Proceedings of the World Wide Web Conference, WWW ).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - NetGuard

T2 - ACM Web Conference 2023 (WWW '23)

AU - Gong, Xueluan

AU - Wang, Ziyao

AU - Chen, Yanjiao

AU - Wang, Qian

AU - Wang, Cong

AU - Shen, Chao

N1 - Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).

PY - 2023/4

Y1 - 2023/4

N2 - Recently more and more cloud service providers (e.g., Microsoft, Google, and Amazon) have commercialized their well-trained deep learning models by providing limited access via web API interfaces. However, it is shown that these APIs are susceptible to model inversion attacks, where attackers can recover the training data with high fidelity, which may cause serious privacy leakage.Existing defenses against model inversion attacks, however, hinder the model performance and are ineffective for more advanced attacks, e.g., Mirror [4]. In this paper, we proposed NetGuard, a novel utility-aware defense methodology against model inversion attacks (MIAs). Unlike previous works that perturb prediction outputs of the victim model, we propose to mislead the MIA effort by inserting engineered fake samples during the training process. A generative adversarial network (GAN) is carefully built to construct fake training samples to mislead the attack model without degrading the performance of the victim model. Besides, we adopt continual learning to further improve the utility of the victim model. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets show that NetGuard is superior to existing defenses, including DP [37] and Ad-mi [32] on state-of-the-art model inversion attacks, i.e., DMI [8], Mirror [4], Privacy [12], and Alignment [34]. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

AB - Recently more and more cloud service providers (e.g., Microsoft, Google, and Amazon) have commercialized their well-trained deep learning models by providing limited access via web API interfaces. However, it is shown that these APIs are susceptible to model inversion attacks, where attackers can recover the training data with high fidelity, which may cause serious privacy leakage.Existing defenses against model inversion attacks, however, hinder the model performance and are ineffective for more advanced attacks, e.g., Mirror [4]. In this paper, we proposed NetGuard, a novel utility-aware defense methodology against model inversion attacks (MIAs). Unlike previous works that perturb prediction outputs of the victim model, we propose to mislead the MIA effort by inserting engineered fake samples during the training process. A generative adversarial network (GAN) is carefully built to construct fake training samples to mislead the attack model without degrading the performance of the victim model. Besides, we adopt continual learning to further improve the utility of the victim model. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets show that NetGuard is superior to existing defenses, including DP [37] and Ad-mi [32] on state-of-the-art model inversion attacks, i.e., DMI [8], Mirror [4], Privacy [12], and Alignment [34]. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

KW - Model inversion attacks

KW - Privacy-utility defense framework

KW - Secure web service

UR - https://www.scopus.com/pages/publications/85159267297

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85159267297&origin=recordpage

U2 - 10.1145/3543507.3583224

DO - 10.1145/3543507.3583224

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781450394161

T3 - ACM Web Conference - Proceedings of the World Wide Web Conference, WWW

SP - 2045

EP - 2053

BT - WWW '23: Proceedings of the ACM Web Conference 2023

PB - Association for Computing Machinery

Y2 - 30 April 2023 through 4 May 2023

ER -

Gong X, Wang Z, Chen Y, Wang Q, Wang C, Shen C. NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples. In WWW '23: Proceedings of the ACM Web Conference 2023. Association for Computing Machinery. 2023. p. 2045-2053. (ACM Web Conference - Proceedings of the World Wide Web Conference, WWW ). Epub 2023 Apr 30. doi: 10.1145/3543507.3583224

NetGuard: Protecting Commercial Web APIs from Model Inversion Attacks using GAN-generated Fake Samples

Abstract

Publication series

Conference

Bibliographical note

Funding

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this