Link to paper

The full paper is available here.

You can also find the paper on PapersWithCode here.

Abstract

  • Main challenge in animal ecology is to re-identify and discriminate between known and unknown individuals
  • Novel approach proposed to tackle this challenge is based on Membership Inference Attacks (MIAs)
  • Experiments conducted on three benchmark datasets, two neural network architectures and three MIAs
  • Ensemble MIA strategy designed to increase attack accuracy and reduce false positive rate
  • Research on privacy attacks can be used to address practical challenges in animal ecology

Paper Content

Introduction

  • Animal ecology research requires re-identifying individual animals
  • Re-ID is difficult and often requires extensive training and experience
  • Tagging and photo-ID are used to re-ID animals
  • Tagging is intrusive and expensive, photo-ID is non-invasive and cheaper
  • Photo-ID has practical and methodological challenges
  • Computer vision techniques are used to standardize and automate the process
  • Feature engineering is used to select or transform raw data into informative features
  • Feature engineering requires programming experience and familiarity with the species
  • Deep learning systems use large data volumes to automatically learn discriminative features
  • Convolutional Neural Networks (CNNs) have achieved state-of-the-art results
  • CNNs lack robustness when deployed in real-world applications
  • Membership Inference Attacks (MIA) can be used to discriminate between known and unknown individuals
  • This paper proposes a novel approach for whales discrimination through images
  • Experiments have been conducted with three state-of-the-art MIAs
  • Ensemble MIAs combines the outputs of different MIAs to increase accuracy and decrease false positive rate
  • Review of related work on reidentification and discrimination of marine mammals
  • Background on MIAs

Automated photo identification of marine mammals

  • Research on individual identification of cetaceans using natural markings began in the 1970s
  • Notches in the dorsal fin or fluke are used for identification
  • Image metadata (annotations describing the animal characteristics) can be used to reduce the number of possible matches
  • Machine learning techniques (neural networks, Bayesian classifiers, decision trees and k-nearest neighbors) were applied on 869 pictures of 223 Commerson’s dolphins
  • Decision tree classifier correctly identified 90% of the individuals
  • SPIR system developed to study presence of Risso’s dolphins
  • Preprocessing of input image to extract dorsal fin segmentation
  • Feature extraction using Speeded Up Robust Feature (SURF) and Scale-Invariant Feature Transform (SIFT)
  • NNPool proposed to automatically discriminate unknown vs. known Risso’s dolphins
  • Deep learning approaches relatively novel in the field of animal photo-ID
  • FIN-PRINT developed to identify killer whales
  • Cheeseman et al. developed a CNN-based similarity algorithm for humpback whales
  • No automatic photo-ID systems for beluga whales re-identification available

Membership inference attack

  • Sensitive inferences can be drawn from data
  • Privacy attacks can be used to reconstruct training data or predict if a profile was in the training dataset
  • Membership inference is problematic if it reveals sensitive information about an individual
  • Adversary models assume either black-box or white-box access to the model
  • Success of privacy attacks is impacted by model overfitting
  • Standard machine learning metrics can be used to quantify success of attacks
  • False positive rate should be reduced to be a good indicator of attack performance

Proposed approach

  • Describe generic beluga whale re-id pipeline
  • Detail training process for attack model
  • Describe different MIAs from state-of-the-art
  • Describe novel approach to perform MIA based on ensemble strategy

Beluga whale identification pipeline

  • Beluga whale identification pipeline consists of two phases: discrimination and re-identification
  • Discrimination phase uses attack model to determine if target sample is known or unknown
  • Re-identification phase uses side-information from experts to classify unknown individuals

Training of the attack model

  • Adversary has access to attack dataset Ds
  • Attack dataset comes from same distribution as target model
  • Core idea is to train attack model to detect if sample is in target model’s training set
  • Attack model mimics behavior of target model
  • Attack test dataset is disjoint from Ds and Dtrain
  • Prediction vector labels “member” as 1 and “non-member” as 0

Attack model design

  • MIA attack applied to target model
  • Adversary has black-box access to model
  • White-box access not considered but could be in future
  • Three state-of-the-art MIAs used
  • Leverage different types of info from target model
  • Neural network-based, metric-based and query-based attack strategies
  • Metric-based attack uses prediction confidence and threshold
  • Query-based attack uses adversarial perturbations and threshold
  • Robustness to perturbations higher for members

Ensemble membership inference attack

  • Proposed a novel way to perform a Membership Inference Attack (MIA)
  • MIA ensemble uses multiple attack models trained on different subsets of the data
  • Combination rule labels input as “member” if at least one attack model predicts it as such

Experimental setting

  • Used MIA to validate approach for beluga whale discrimination
  • Described datasets used in experiments
  • Described experimental configuration
  • Described target and attack models’ architectures and training settings

Datasets

  • Experiments conducted on 3 datasets: GREMM, Humpback and NOAA
  • GREMM dataset contains 983 beluga individuals and 3402 images
  • Humpback dataset contains 270 individuals and 4814 images
  • NOAA dataset contains 380 individuals and 5158 images

Experimental configuration

  • Datasets used to train MIAs are composed of individual whales with many pictures associated to them.
  • Three disjoint sub-datasets with equal or approximately equal number of identities were sampled.
  • Augmentation process included operations such as random horizontal flip and brightness variation.
  • Three disjoint augmented subsets were constructed and assigned randomly the identities of belugas.
  • Each subset contains approximately 1/3 of the identities.
  • Non-members of ID 2 are used to train the attack model while the ones of ID 3 are used to evaluate the attack performance.

Target and attack models

  • ResNet50 and DenseNet121 are two popular neural network architectures used as the target model
  • ResNet50 uses a stack of three layers with 1x1, 3x3, and 1x1 convolutions as the building residual block
  • Batch normalization and global average pooling are used after each convolution
  • DenseNet architecture is designed around a simple connectivity pattern of dense blocks and transition layers
  • Hyperparameters are set to reduce overfitting and False Positive Rate is used to measure attack success rate

Results

  • Compare attack performance of proposed MIA algorithms for different whale datasets
  • Discuss choice of attack dataset and attack model’s architecture to evaluate MIA
  • Explore influence of different factors on attack’s performance
  • Present performance of novel ensemble MIA for different real-world scenarios

Evaluation of mias

  • MIAs were tested against ResNet50 and DenseNet121 architectures
  • ResNet50+LabelOnly performs best
  • ResNet50+Yeom and ResNet50+Salem have lower performance
  • LabelOnly requires more query budgets and computation costs
  • Metric-based MIAs can achieve performance close to best attack
  • Attack performance can be improved by changing model architecture
  • Success of attacks is lower for GREMM dataset due to lack of discriminative characteristics

Generalization of the attack

  • Previous works focused on adversary training an attack model of same architecture as target model on attack dataset from same distribution as target dataset.
  • This work creates attack dataset composed of half members and half non-members from different distribution than target dataset.
  • Successful attack means attack model generalizes to new pictures of members and non-members.
  • Attack performance remains almost the same when attack dataset contains non-members from different distribution than target dataset.
  • Attack performance still effective even when target and attack models’ architectures are different.
  • First to quantify generation power of MIAs with attack dataset composed of half known members and half unknown non-members.

Mias influence factors

  • Overfitting can make a model more vulnerable to privacy attacks.
  • Overfitting increases the vulnerability of a model to MIAs.
  • The attack performance is correlated with the overfitting level.
  • The attack performance is correlated with the KL-divergence of cross-entropy distributions between members and non-members.
  • KL-divergence of cross-entropy has a higher correlation to the attack performance than the overfitting level.
  • The attack performance increases with the increase in the number of epochs.
  • The KL-divergence and attack performance become stable after 120 epochs.
  • The target model’s training accuracy and testing accuracy are reported in Table 5.
  • The ResNet50+Salem, ResNet50+Yeom and ResNet50+LabelOnly attacks are studied.
  • The best average attack accuracy for the original model (trained with overfitting) was 0.706.
  • The best average attack accuracy for the model with no-overfitting was 0.539.

Mia robustness and performance of ensemble mia

  • Discrimination based on MIA can be impractical when FPR is too high.
  • Average FPR for Humpback and NOAA datasets is 0.03%.
  • Most members and non-members are well discriminated for those datasets.
  • GREMM has a high FPR, which can be decreased to 0.34% using ResNet+LabelOnly attack.
  • Ensemble MIA approach proposed to reduce FAR and increase attack success rate.

Conclusion

  • Performed MIAs against models trained on open-set datasets of whales
  • Objective was to discriminate between known and unknown individuals
  • Investigated three MIAs from the state-of-the-art using two popular model architectures and three whale benchmark datasets
  • Best combination of model architecture and MIA was ResNet50+ LabelOnly
  • Non-members used to train attack model could be from different whale population
  • Architecture of attack model does not need to be similar to target model
  • Overfitting level in small subsets leads to higher leak of information
  • Proposed novel approach called Ensemble MIA which improved attack performance and decreased FPR