INFDok - Dokumentenvolltextserver des Fachbereichs Informatik

Kurzfassung auf Englisch:

When training a machine learning model it is important to consider the privacy of the training data. Especially when a model is published in one way or another, steps need to be taken in order to ensure privacy even when the training data itself is not shared. In many cases it is possible to infer properties of the training data such as the ratio of male to female samples. A property inference attack like this can be executed, even if an adversary is only allowed to monitor the output of a model when querying it with a chosen input. This thesis proposes a first of its kind defense against such property inference attack for gradient boosted decision trees in a black-box setting. The goal is to defend against an adversary with oracle-access to the model and reduce its accuracy for predicting a property. Ideally it would be possible to set a target for the adversary’s prediction. This way the exact value predicted after defending the model can be controlled and is not left up to randomness. The defense is tested on the ADULT data set. Several parameters are tested, there is a trade off parameter λ which determines the trade off between defending the model and training it for its intended task. There also is an adversarial learning rate, which controls how fast the adversary is supposed to move to the target value that can be set as well. The tests are run on several models with different distributions for the property that is supposed to be inferred by the adversary. While the defense did succeed at lowering the adversary’s accuracy significantly, even when not having too much impact on the models training process, there still is work to be done for the second goal. Controlling the adversary’s predictions by setting a target did not work as intended. It was possible to achieve a good fit for the mean prediction with some parameters, but the predictions were spread out in such a way that only few of them were actually on target.