A Novel Membership Inference Attack against Dynamic Neural Networks by Utilizing Policy Networks Information
This addresses a security vulnerability for dynamic neural networks, which are increasingly used for efficiency, but it is incremental as it extends known attack methods to a new model type.
The paper tackles the problem of membership inference attacks on dynamic neural networks, which adjust structures or parameters per input, by proposing a novel attack that leverages policy networks information, achieving better results than baseline attacks on image classification tasks like CIFAR-10 and CIFAR-100.
Unlike traditional static deep neural networks (DNNs), dynamic neural networks (NNs) adjust their structures or parameters to different inputs to guarantee accuracy and computational efficiency. Meanwhile, it has been an emerging research area in deep learning recently. Although traditional static DNNs are vulnerable to the membership inference attack (MIA) , which aims to infer whether a particular point was used to train the model, little is known about how such an attack performs on the dynamic NNs. In this paper, we propose a novel MI attack against dynamic NNs, leveraging the unique policy networks mechanism of dynamic NNs to increase the effectiveness of membership inference. We conducted extensive experiments using two dynamic NNs, i.e., GaterNet, BlockDrop, on four mainstream image classification tasks, i.e., CIFAR-10, CIFAR-100, STL-10, and GTSRB. The evaluation results demonstrate that the control-flow information can significantly promote the MIA. Based on backbone-finetuning and information-fusion, our method achieves better results than baseline attack and traditional attack using intermediate information.