Privacy Backdoors: Stealing Data with Corrupted Pretrained Models
Feng, Shanglun, Tramèr, Florian
–arXiv.org Artificial Intelligence
Practitioners commonly download pretrained machine learning models from open repositories and finetune them to fit specific applications. We show that this practice introduces a new risk of privacy backdoors. By tampering with a pretrained model's weights, an attacker can fully compromise the privacy of the finetuning data. We show how to build privacy backdoors for a variety of models, including transformers, which enable an attacker to reconstruct individual finetuning samples, with a guaranteed success! We further show that backdoored models allow for tight privacy attacks on models trained with differential privacy (DP). The common optimistic practice of training DP models with loose privacy guarantees is thus insecure if the model is not trusted. Overall, our work highlights a crucial and overlooked supply chain attack on machine learning privacy.
arXiv.org Artificial Intelligence
Mar-30-2024
- Country:
- Oceania > Guam (0.04)
- Asia > Japan (0.04)
- Antarctica (0.04)
- North America
- Dominica (0.04)
- United States
- District of Columbia > Washington (0.14)
- Maryland (0.04)
- Virginia (0.04)
- North Carolina (0.04)
- Wyoming (0.04)
- Iowa (0.04)
- Kentucky (0.04)
- Nevada > Clark County
- Las Vegas (0.04)
- Illinois > Cook County
- Chicago (0.04)
- New York > New York County
- New York City (0.04)
- Europe
- Switzerland > Zürich
- Zürich (0.04)
- Albania > Tirana County
- Tirana (0.04)
- Switzerland > Zürich
- Atlantic Ocean > North Atlantic Ocean
- Chesapeake Bay (0.04)
- Genre:
- Research Report (0.64)
- Industry:
- Technology: