Quantifying and Mitigating Privacy Risks of Contrastive Learning

He, Xinlei and Zhang, Yang
(2021) Quantifying and Mitigating Privacy Risks of Contrastive Learning.
In: ACM SIGSAC Conference on Computer and Communications Security.
Conference: CCS ACM Conference on Computer and Communications Security

[img]
Preview
 Text
CCS21-ContrastivePrivacy.pdf
Download (2MB) | Preview

Abstract

Data is the key factor to drive the development of machine learning (ML) during the past decade. However, high-quality data, in particular labeled data, is often hard and expensive to collect. To leverage large-scale unlabeled data, self-supervised learning, represented by contrastive learning, is introduced. The objective of contrastive learning is to map different views derived from a training sample (e.g., through data augmentation) closer in their representation space, while different views derived from different samples more distant. In this way, a contrastive model learns to generate informative representations for data samples, which are then used to perform downstream ML tasks. Recent research has shown that machine learning models are vulnerable to various privacy attacks. However, most of the current efforts concentrate on models trained with supervised learning. Meanwhile, data samples' informative representations learned with contrastive learning may cause severe privacy risks as well. In this paper, we perform the first privacy analysis of contrastive learning through the lens of membership inference and attribute inference. Our experimental results show that contrastive models trained on image datasets are less vulnerable to membership inference attacks but more vulnerable to attribute inference attacks compared to supervised models. The former is due to the fact that contrastive models are less prone to overfitting, while the latter is caused by contrastive models' capability of representing data samples expressively. To remedy this situation, we propose the first privacy-preserving contrastive learning mechanism, Talos, relying on adversarial training. Empirical results show that Talos can successfully mitigate attribute inference risks for contrastive models while maintaining their membership privacy and model utility.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Yang Zhang (YZ)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Yang Zhang
Date Deposited: 05 Oct 2021 11:19
Last Modified: 15 Oct 2022 15:47
Primary Research Area: NRA1: Trustworthy Information Processing
URI: https://publications.cispa.saarland/id/eprint/3490

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.