Protect privacy of deep classification networks by exploiting their generative power

Abstract Research showed that deep learning models are vulnerable to membership inference attacks, which aim determine if an example is in the training set of model. We propose a new framework defend against this sort attack. Our key insight we retrain original classifier with dataset independent while their elements sampled from same distribution, retrained will leak no information cannot be inferred distribution about set. consists three phases. First, transferred Joint Energy-based Model (JEM) exploit model’s implicit generative power. Then, JEM create dataset. Finally, used or fine-tune classifier. empirically studied different transfer schemes for and fine-tuning/retraining strategies shadow-model attacks. evaluation shows our can suppress attacker’s advantage negligible level keeping classifier’s accuracy acceptable. compared it other state-of-the-art defenses considering adaptive attackers defense effective even under worst-case scenario. Besides, also found combining often achieves better robustness. code made available at https://github.com/ChenJiyu/meminf-defense.git .