Publication: UnSplit: data-oblivious model inversion, model stealing, and label inference attacks against split learning
| dc.contributor.coauthor | Çiçek, A. Ercument | |
| dc.contributor.department | Department of Computer Engineering | |
| dc.contributor.kuauthor | Erdoğan, Ege | |
| dc.contributor.kuauthor | Küpçü, Alptekin | |
| dc.contributor.schoolcollegeinstitute | College of Engineering | |
| dc.date.accessioned | 2024-11-10T00:08:17Z | |
| dc.date.issued | 2022 | |
| dc.description.abstract | Training deep neural networks often forces users to work in a distributed or outsourced setting, accompanied with privacy concerns. Split learning aims to address this concern by distributing the model among a client and a server. The scheme supposedly provides privacy, since the server cannot see the clients' models and inputs. We show that this is not true via two novel attacks. (1) We show that an honest-but-curious split learning server, equipped only with the knowledge of the client neural network architecture, can recover the input samples and obtain a functionally similar model to the client model, without being detected. (2) We show that if the client keeps hidden only the output layer of the model to ''protect'' the private labels, the honest-but-curious server can infer the labels with perfect accuracy. We test our attacks using various benchmark datasets and against proposed privacy-enhancing extensions to split learning. Our results show that plaintext split learning can pose serious risks, ranging from data (input) privacy to intellectual property (model parameters), and provide no more than a false sense of security. | |
| dc.description.indexedby | Scopus | |
| dc.description.indexedby | WOS | |
| dc.description.openaccess | YES | |
| dc.description.publisherscope | International | |
| dc.description.sponsoredbyTubitakEu | N/A | |
| dc.identifier.doi | 10.1145/3559613.3563201 | |
| dc.identifier.isbn | 9781-4503-9873-2 | |
| dc.identifier.scopus | 2-s2.0-85143252442 | |
| dc.identifier.uri | https://doi.org/10.1145/3559613.3563201 | |
| dc.identifier.uri | https://hdl.handle.net/20.500.14288/16931 | |
| dc.identifier.wos | 1138986700012 | |
| dc.keywords | Data privacy | |
| dc.keywords | Label leakage | |
| dc.keywords | Machine learning | |
| dc.keywords | Model inversion | |
| dc.keywords | Model stealing | |
| dc.keywords | Split learning Deep neural networks | |
| dc.keywords | Learning systems | |
| dc.keywords | Network architecture | |
| dc.keywords | Client models | |
| dc.keywords | Inference attacks | |
| dc.keywords | Inversion models | |
| dc.keywords | Label leakage | |
| dc.keywords | Machine-learning | |
| dc.keywords | Model inversion | |
| dc.keywords | Model stealing | |
| dc.keywords | Neural network architecture | |
| dc.keywords | Privacy concerns | |
| dc.keywords | Split learning | |
| dc.keywords | Data privacy | |
| dc.language.iso | eng | |
| dc.publisher | Association for Computing Machinery | |
| dc.relation.ispartof | WPES 2022 - Proceedings of the 21st Workshop on Privacy in the Electronic Society, co-located with CCS 2022 | |
| dc.subject | Neural networks (Neurobiology) | |
| dc.subject | Instructional systems | |
| dc.title | UnSplit: data-oblivious model inversion, model stealing, and label inference attacks against split learning | |
| dc.type | Conference Proceeding | |
| dspace.entity.type | Publication | |
| local.contributor.kuauthor | Küpçü, Alptekin | |
| local.contributor.kuauthor | Erdoğan, Ege | |
| local.publication.orgunit1 | College of Engineering | |
| local.publication.orgunit2 | Department of Computer Engineering | |
| relation.isOrgUnitOfPublication | 89352e43-bf09-4ef4-82f6-6f9d0174ebae | |
| relation.isOrgUnitOfPublication.latestForDiscovery | 89352e43-bf09-4ef4-82f6-6f9d0174ebae | |
| relation.isParentOrgUnitOfPublication | 8e756b23-2d4a-4ce8-b1b3-62c794a8c164 | |
| relation.isParentOrgUnitOfPublication.latestForDiscovery | 8e756b23-2d4a-4ce8-b1b3-62c794a8c164 |
Files
Original bundle
1 - 1 of 1