Link to paper
The full paper is available here.
You can also find the paper on PapersWithCode here.
Abstract
- Main challenge in animal ecology is to re-identify and discriminate between known and unknown individuals
- Novel approach proposed to tackle this challenge is based on Membership Inference Attacks (MIAs)
- Experiments conducted on three benchmark datasets, two neural network architectures and three MIAs
- Ensemble MIA strategy designed to increase attack accuracy and reduce false positive rate
- Research on privacy attacks can be used to address practical challenges in animal ecology
Paper Content
Introduction
- Animal ecology research requires re-identifying individual animals
- Re-ID is difficult and often requires extensive training and experience
- Tagging and photo-ID are used to re-ID animals
- Tagging is intrusive and expensive, photo-ID is non-invasive and cheaper
- Photo-ID has practical and methodological challenges
- Computer vision techniques are used to standardize and automate the process
- Feature engineering is used to select or transform raw data into informative features
- Feature engineering requires programming experience and familiarity with the species
- Deep learning systems use large data volumes to automatically learn discriminative features
- Convolutional Neural Networks (CNNs) have achieved state-of-the-art results
- CNNs lack robustness when deployed in real-world applications
- Membership Inference Attacks (MIA) can be used to discriminate between known and unknown individuals
- This paper proposes a novel approach for whales discrimination through images
- Experiments have been conducted with three state-of-the-art MIAs
- Ensemble MIAs combines the outputs of different MIAs to increase accuracy and decrease false positive rate
Related work
- Review of related work on reidentification and discrimination of marine mammals
- Background on MIAs
Automated photo identification of marine mammals
- Research on individual identification of cetaceans using natural markings began in the 1970s
- Notches in the dorsal fin or fluke are used for identification
- Image metadata (annotations describing the animal characteristics) can be used to reduce the number of possible matches
- Machine learning techniques (neural networks, Bayesian classifiers, decision trees and k-nearest neighbors) were applied on 869 pictures of 223 Commerson’s dolphins
- Decision tree classifier correctly identified 90% of the individuals
- SPIR system developed to study presence of Risso’s dolphins
- Preprocessing of input image to extract dorsal fin segmentation
- Feature extraction using Speeded Up Robust Feature (SURF) and Scale-Invariant Feature Transform (SIFT)
- NNPool proposed to automatically discriminate unknown vs. known Risso’s dolphins
- Deep learning approaches relatively novel in the field of animal photo-ID
- FIN-PRINT developed to identify killer whales
- Cheeseman et al. developed a CNN-based similarity algorithm for humpback whales
- No automatic photo-ID systems for beluga whales re-identification available
Membership inference attack
- Sensitive inferences can be drawn from data
- Privacy attacks can be used to reconstruct training data or predict if a profile was in the training dataset
- Membership inference is problematic if it reveals sensitive information about an individual
- Adversary models assume either black-box or white-box access to the model
- Success of privacy attacks is impacted by model overfitting
- Standard machine learning metrics can be used to quantify success of attacks
- False positive rate should be reduced to be a good indicator of attack performance
Proposed approach
- Describe generic beluga whale re-id pipeline
- Detail training process for attack model
- Describe different MIAs from state-of-the-art
- Describe novel approach to perform MIA based on ensemble strategy
Beluga whale identification pipeline
- Beluga whale identification pipeline consists of two phases: discrimination and re-identification
- Discrimination phase uses attack model to determine if target sample is known or unknown
- Re-identification phase uses side-information from experts to classify unknown individuals
Training of the attack model
- Adversary has access to attack dataset Ds
- Attack dataset comes from same distribution as target model
- Core idea is to train attack model to detect if sample is in target model’s training set
- Attack model mimics behavior of target model
- Attack test dataset is disjoint from Ds and Dtrain
- Prediction vector labels “member” as 1 and “non-member” as 0
Attack model design
- MIA attack applied to target model
- Adversary has black-box access to model
- White-box access not considered but could be in future
- Three state-of-the-art MIAs used
- Leverage different types of info from target model
- Neural network-based, metric-based and query-based attack strategies
- Metric-based attack uses prediction confidence and threshold
- Query-based attack uses adversarial perturbations and threshold
- Robustness to perturbations higher for members
Ensemble membership inference attack
- Proposed a novel way to perform a Membership Inference Attack (MIA)
- MIA ensemble uses multiple attack models trained on different subsets of the data
- Combination rule labels input as “member” if at least one attack model predicts it as such
Experimental setting
- Used MIA to validate approach for beluga whale discrimination
- Described datasets used in experiments
- Described experimental configuration
- Described target and attack models’ architectures and training settings
Datasets
- Experiments conducted on 3 datasets: GREMM, Humpback and NOAA
- GREMM dataset contains 983 beluga individuals and 3402 images
- Humpback dataset contains 270 individuals and 4814 images
- NOAA dataset contains 380 individuals and 5158 images
Experimental configuration
- Datasets used to train MIAs are composed of individual whales with many pictures associated to them.
- Three disjoint sub-datasets with equal or approximately equal number of identities were sampled.
- Augmentation process included operations such as random horizontal flip and brightness variation.
- Three disjoint augmented subsets were constructed and assigned randomly the identities of belugas.
- Each subset contains approximately 1/3 of the identities.
- Non-members of ID 2 are used to train the attack model while the ones of ID 3 are used to evaluate the attack performance.
Target and attack models
- ResNet50 and DenseNet121 are two popular neural network architectures used as the target model
- ResNet50 uses a stack of three layers with 1x1, 3x3, and 1x1 convolutions as the building residual block
- Batch normalization and global average pooling are used after each convolution
- DenseNet architecture is designed around a simple connectivity pattern of dense blocks and transition layers
- Hyperparameters are set to reduce overfitting and False Positive Rate is used to measure attack success rate
Results
- Compare attack performance of proposed MIA algorithms for different whale datasets
- Discuss choice of attack dataset and attack model’s architecture to evaluate MIA
- Explore influence of different factors on attack’s performance
- Present performance of novel ensemble MIA for different real-world scenarios
Evaluation of mias
- MIAs were tested against ResNet50 and DenseNet121 architectures
- ResNet50+LabelOnly performs best
- ResNet50+Yeom and ResNet50+Salem have lower performance
- LabelOnly requires more query budgets and computation costs
- Metric-based MIAs can achieve performance close to best attack
- Attack performance can be improved by changing model architecture
- Success of attacks is lower for GREMM dataset due to lack of discriminative characteristics
Generalization of the attack
- Previous works focused on adversary training an attack model of same architecture as target model on attack dataset from same distribution as target dataset.
- This work creates attack dataset composed of half members and half non-members from different distribution than target dataset.
- Successful attack means attack model generalizes to new pictures of members and non-members.
- Attack performance remains almost the same when attack dataset contains non-members from different distribution than target dataset.
- Attack performance still effective even when target and attack models’ architectures are different.
- First to quantify generation power of MIAs with attack dataset composed of half known members and half unknown non-members.
Mias influence factors
- Overfitting can make a model more vulnerable to privacy attacks.
- Overfitting increases the vulnerability of a model to MIAs.
- The attack performance is correlated with the overfitting level.
- The attack performance is correlated with the KL-divergence of cross-entropy distributions between members and non-members.
- KL-divergence of cross-entropy has a higher correlation to the attack performance than the overfitting level.
- The attack performance increases with the increase in the number of epochs.
- The KL-divergence and attack performance become stable after 120 epochs.
- The target model’s training accuracy and testing accuracy are reported in Table 5.
- The ResNet50+Salem, ResNet50+Yeom and ResNet50+LabelOnly attacks are studied.
- The best average attack accuracy for the original model (trained with overfitting) was 0.706.
- The best average attack accuracy for the model with no-overfitting was 0.539.
Mia robustness and performance of ensemble mia
- Discrimination based on MIA can be impractical when FPR is too high.
- Average FPR for Humpback and NOAA datasets is 0.03%.
- Most members and non-members are well discriminated for those datasets.
- GREMM has a high FPR, which can be decreased to 0.34% using ResNet+LabelOnly attack.
- Ensemble MIA approach proposed to reduce FAR and increase attack success rate.
Conclusion
- Performed MIAs against models trained on open-set datasets of whales
- Objective was to discriminate between known and unknown individuals
- Investigated three MIAs from the state-of-the-art using two popular model architectures and three whale benchmark datasets
- Best combination of model architecture and MIA was ResNet50+ LabelOnly
- Non-members used to train attack model could be from different whale population
- Architecture of attack model does not need to be similar to target model
- Overfitting level in small subsets leads to higher leak of information
- Proposed novel approach called Ensemble MIA which improved attack performance and decreased FPR