Manipulating Transfer Learning for Property Inference
This exposes a security vulnerability in transfer learning for machine learning practitioners, enabling privacy breaches through model manipulation.
The paper tackles the problem of property inference attacks in transfer learning, where an adversary manipulates an upstream model to infer specific properties (e.g., presence of a person's images) from a victim's downstream model, achieving high effectiveness with AUC scores > 0.9 without significant performance loss.
Transfer learning is a popular method for tuning pretrained (upstream) models for different downstream tasks using limited data and computational resources. We study how an adversary with control over an upstream model used in transfer learning can conduct property inference attacks on a victim's tuned downstream model. For example, to infer the presence of images of a specific individual in the downstream training set. We demonstrate attacks in which an adversary can manipulate the upstream model to conduct highly effective and specific property inference attacks (AUC score $> 0.9$), without incurring significant performance loss on the main task. The main idea of the manipulation is to make the upstream model generate activations (intermediate features) with different distributions for samples with and without a target property, thus enabling the adversary to distinguish easily between downstream models trained with and without training examples that have the target property. Our code is available at https://github.com/yulongt23/Transfer-Inference.