Home

Awesome

Membership Inference Attacks and Defenses in Neural Network Pruning

This repository accompanies the paper Membership Inference Attacks and Defenses in Neural Network Pruning, accepted by USENIX Security 2022. The extended version can be found at arXiv. The repository contains the main code of membership inference attacks and defenses in neural network pruning. The code is tested on Python 3.8, Pytorch 1.8.1, and Ubuntu 18.04. GPUs are needed to accelerate neural network training and membership inference attacks.

Attack Pipeline

Background

Neural network pruning has been an essential technique to reduce the computation and memory requirements for using deep neural networks for resource-constrained devices. We investigated the membership inference attacks (MIA) and the countermeasures in neural network pruning. We proposed a membership inference attack, namely self-attention membership inference attack (SAMIA), targeted at pruned neural networks, as well as a pair-based posterior balancing (PPB) defense method.

Installation

Get the repository:

git clone https://github.com/Machine-Learning-Security-Lab/mia_prune
cd mia_prune

Install Python packages.

pip install -r requirements.txt

Create a folder for storing datasets. The data folder location can be updated in datasets.py.

mkdir -p data/datasets

Create a folder for storing the models.

mkdir results

Usage

Attacks

  1. Train an original neural network:
python pretrain.py [GPU-ID] [config_path] 
  1. Prune the model and fine-tune the model
python prune.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity]
  1. Conduct membership inference attacks on the pruned model.
python mia.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks]
  1. Conduct membership inference attacks on the original model.
python mia.py [GPU-ID] [config_path] --attacks [attacks] --original

Defenses

  1. Based on an original model, prune the model and fine-tune the model with a defense method and its arguments.
python prune.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] 
--defend [defend] --defend_arg [defend_arg]
  1. Conduct membership inference attacks on the pruned model with defense.
python mia.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks]
--defend [defend] --defend_arg [defend_arg]
  1. Conduct membership inference attacks on the pruned model with defense when the attacker knows the defense (adaptive attack).
python mia.py [GPU-ID] [config_path] --pruner_name [pruner_name] --prune_sparsity [prune_sparsity] --attacks [attacks]
--defend [defend] --defend_arg [defend_arg] --adaptive

Argument options

Examples

Train a CIFAR10 model using ResNet18 model on GPU0.

python pretrain.py 0 config/cifar10_resnet18.json

Prune the model using l1unstructured pruning with sparsity level 70% (remove 70% parameters).

python prune.py 0 config/cifar10_resnet18.json --pruner_name l1unstructure --prune_sparsity 0.7

Attack the pruned model using SAMIA.

python mia.py 0 config/cifar10_resnet18.json --attacks samia

Attack the original model using SAMIA.

python mia.py 0 config/cifar10_resnet18.json --attacks samia --original

Prune the original model with PPB defense.

python prune.py 0 config/cifar10_resnet18.json --defend ppb --defend_arg 4

Attack the pruned model with defense using SAMIA.

python mia.py 0 config/cifar10_resnet18.json --attacks samia,threshold --defend ppb --defend_arg 4

Attack the pruned model with defense using SAMIA when the attacker knows the defense, e.g., adaptive attack.

python mia.py 0 config/cifar10_resnet18.json --attacks samia,threshold --defend ppb --defend_arg 4 ----adaptive

Launch multiple attacks.

python mia.py 0 config/cifar10_resnet18.json --attacks samia,nn,nn_top3

Structure

Citation

@inproceedings{yuan2022membership,
  title = {Membership Inference Attacks and Defenses in Neural Network Pruning},
  booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
  author={Yuan, Xiaoyong and Zhang, Lan},
  year={2022}
}