Skip to main content

2024 | OriginalPaper | Buchkapitel

Combinations of AI Models and XAI Metrics Vulnerable to Record Reconstruction Risk

verfasst von : Ryotaro Toma, Hiroaki Kikuchi

Erschienen in: Privacy in Statistical Databases

Verlag: Springer Nature Switzerland

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Explainable AI (XAI) metrics have gained attention because of a need to ensure fairness and transparency in machine learning models by providing users with some understanding of the models’ internal processes. Many services, including Amazon Web Services, the Google Cloud Platform, and Microsoft Azure run machine-learning-as-a-service platforms, which provide several indices, including Shapley values, that explain the relationship between the output of the black-box model and its private input features. However, in 2022, it was demonstrated that a Shapley-value-based explanation could lead to the reconstruction of private attributes, posing a privacy risk of information leakage from the model. It was shown that the leaked value would depend on the AI black-box model used. However, it was not clear which combinations of black-box model and XAI metric would be vulnerable to a reconstruction attack. The present study shows, both theoretically and experimentally, that Shapley values are indeed vulnerable to a reconstruction attack. We prove that Shapley values for a linear model can lead to a perfect reconstruction of records, that is, they can enable an accurate estimation of private values. In addition, we investigate the impact of various optimization algorithms used in attack models on the reconstruction risk.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Anhänge
Nur mit Berechtigung zugänglich
Literatur
1.
Zurück zum Zitat Rudin, C.: Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead. Nat. Mach. Intell. 1(5), 206–215 (2019)CrossRef Rudin, C.: Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead. Nat. Mach. Intell. 1(5), 206–215 (2019)CrossRef
3.
Zurück zum Zitat Sakai, A., et al.: Medical professional enhancement using explainable artificial intelligence in fetal cardiac ultrasound screening. Biomedicines 10(3), 551 (2022)CrossRef Sakai, A., et al.: Medical professional enhancement using explainable artificial intelligence in fetal cardiac ultrasound screening. Biomedicines 10(3), 551 (2022)CrossRef
4.
Zurück zum Zitat Chen, J., Song, L., Wainwright, M., Jordan, M.: Learning to explain: an information-theoretic perspective on model interpretation. In: 35th International Conference on Machine Learning, Stockholm, Sweden, pp. 882–891. PMLR (2018) Chen, J., Song, L., Wainwright, M., Jordan, M.: Learning to explain: an information-theoretic perspective on model interpretation. In: 35th International Conference on Machine Learning, Stockholm, Sweden, pp. 882–891. PMLR (2018)
7.
Zurück zum Zitat Luo, X., Jiang, Y., Xiao, X.: Feature inference attack on Shapley values. In: 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS 2022), Los Angeles, CA, USA, pp. 2233–2247. Association for Computing Machinery (2022) Luo, X., Jiang, Y., Xiao, X.: Feature inference attack on Shapley values. In: 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS 2022), Los Angeles, CA, USA, pp. 2233–2247. Association for Computing Machinery (2022)
8.
Zurück zum Zitat Ribeiro, M., Singh, S., Guestrin, C.: “Why should I trust you?”: explaining the predictions of any classifier. In: 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2016), San Francisco, California, USA, pp. 1135–1144. Association for Computing Machinery (2016) Ribeiro, M., Singh, S., Guestrin, C.: “Why should I trust you?”: explaining the predictions of any classifier. In: 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2016), San Francisco, California, USA, pp. 1135–1144. Association for Computing Machinery (2016)
10.
Zurück zum Zitat Moro, S., Cortez, P., Rita, P.: A data-driven approach to predict the success of bank telemarketing. Decis. Support Syst. 62, 22–31 (2014)CrossRef Moro, S., Cortez, P., Rita, P.: A data-driven approach to predict the success of bank telemarketing. Decis. Support Syst. 62, 22–31 (2014)CrossRef
11.
Zurück zum Zitat Yeh, I., Lien, C.: The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients. Expert Syst. Appl. 36(2), 2473–2480 (2009)CrossRef Yeh, I., Lien, C.: The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients. Expert Syst. Appl. 36(2), 2473–2480 (2009)CrossRef
12.
Zurück zum Zitat Shapley, L.: 17. A value for n-person games. Contrib. Theory Games (AM-28) II, 307–318 (1953) Shapley, L.: 17. A value for n-person games. Contrib. Theory Games (AM-28) II, 307–318 (1953)
13.
Zurück zum Zitat Covert, I., Lundberg, S., Lee, S.: Understanding global feature contributions with additive importance measures. In: 34th International Conference on Neural Information Processing Systems (NIPS 2020), Vancouver, BC, Canada, pp. 17212–17223. Curran Associates Inc. (2020) Covert, I., Lundberg, S., Lee, S.: Understanding global feature contributions with additive importance measures. In: 34th International Conference on Neural Information Processing Systems (NIPS 2020), Vancouver, BC, Canada, pp. 17212–17223. Curran Associates Inc. (2020)
14.
Zurück zum Zitat Fisher, A., Rudin, C., Dominici, F.: All models are wrong, but many are useful: learning a variable’s importance by studying an entire class of prediction models simultaneously. J. Mach. Learn. Res. 20(177), 1–81 (2019)MathSciNet Fisher, A., Rudin, C., Dominici, F.: All models are wrong, but many are useful: learning a variable’s importance by studying an entire class of prediction models simultaneously. J. Mach. Learn. Res. 20(177), 1–81 (2019)MathSciNet
15.
Zurück zum Zitat Lundberg, S., Lee, S.: A unified approach to interpreting model predictions. In: 31st International Conference on Neural Information Processing Systems (NIPS 2017), Long Beach, California, USA, pp. 4768–4777. Curran Associates Inc. (2017) Lundberg, S., Lee, S.: A unified approach to interpreting model predictions. In: 31st International Conference on Neural Information Processing Systems (NIPS 2017), Long Beach, California, USA, pp. 4768–4777. Curran Associates Inc. (2017)
17.
Zurück zum Zitat Ribeiro, M., Singh, S., Guestrin, C.: Anchors: high-precision model-agnostic explanations. In: Thirty-Second AAAI Conference on Artificial Intelligence and Thirtieth Innovative Applications of Artificial Intelligence Conference and Eighth AAAI Symposium on Educational Advances in Artificial Intelligence (AAAI 2018/IAAI 2018/EAAI 2018), New Orleans, Louisiana, USA, pp. 1527–1535. AAAI Press (2018) Ribeiro, M., Singh, S., Guestrin, C.: Anchors: high-precision model-agnostic explanations. In: Thirty-Second AAAI Conference on Artificial Intelligence and Thirtieth Innovative Applications of Artificial Intelligence Conference and Eighth AAAI Symposium on Educational Advances in Artificial Intelligence (AAAI 2018/IAAI 2018/EAAI 2018), New Orleans, Louisiana, USA, pp. 1527–1535. AAAI Press (2018)
19.
Zurück zum Zitat Kuppa, A., Le-Khac, N.: Adversarial XAI methods in cybersecurity. IEEE Trans. Inf. Forensics Secur. 16, 4924–4938 (2021)CrossRef Kuppa, A., Le-Khac, N.: Adversarial XAI methods in cybersecurity. IEEE Trans. Inf. Forensics Secur. 16, 4924–4938 (2021)CrossRef
20.
Zurück zum Zitat Shokri, R., Strobel, M., Zick, Y.: On the privacy risks of model explanations. In: 2021 AAAI/ACM Conference on AI. Ethics, and Society (AIES 2021), pp. 231–241. Association for Computing Machinery, Virtual Event, USA (2021) Shokri, R., Strobel, M., Zick, Y.: On the privacy risks of model explanations. In: 2021 AAAI/ACM Conference on AI. Ethics, and Society (AIES 2021), pp. 231–241. Association for Computing Machinery, Virtual Event, USA (2021)
21.
Zurück zum Zitat Liu, H., Wu, Y., Yu, Z., Zhang, N.: Please tell me more: privacy impact of explainability through the lens of membership inference attack. In: 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, pp. 119–138. IEEE Computer Society (2024) Liu, H., Wu, Y., Yu, Z., Zhang, N.: Please tell me more: privacy impact of explainability through the lens of membership inference attack. In: 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, pp. 119–138. IEEE Computer Society (2024)
22.
Zurück zum Zitat Yan, A., Hou, R., Liu, X., Yan, H., Huang, T., Wang, X.: Towards explainable model extraction attacks. Int. J. Intell. Syst. 37(11), 9936–9956 (2022)CrossRef Yan, A., Hou, R., Liu, X., Yan, H., Huang, T., Wang, X.: Towards explainable model extraction attacks. Int. J. Intell. Syst. 37(11), 9936–9956 (2022)CrossRef
23.
Zurück zum Zitat Yan, A., Huang, T., Ke, L., Liu, X., Chen, Q., Dong, C.: Explanation leaks: explanation-guided model extraction attacks. Inf. Sci. Int. J. 632(C), 269–284 (2023) Yan, A., Huang, T., Ke, L., Liu, X., Chen, Q., Dong, C.: Explanation leaks: explanation-guided model extraction attacks. Inf. Sci. Int. J. 632(C), 269–284 (2023)
24.
Zurück zum Zitat Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), Denver, Colorado, USA, pp. 1322–1333. Association for Computing Machinery (2015) Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), Denver, Colorado, USA, pp. 1322–1333. Association for Computing Machinery (2015)
25.
Zurück zum Zitat Baniecki, H., Biecek, P.: Adversarial attacks and defenses in explainable artificial intelligence: a survey. Inf. Fusion 107, 102303 (2024)CrossRef Baniecki, H., Biecek, P.: Adversarial attacks and defenses in explainable artificial intelligence: a survey. Inf. Fusion 107, 102303 (2024)CrossRef
26.
Zurück zum Zitat Patel, N., Shokri, R., Zick, Y.: Model explanations with differential privacy. In: 2022 ACM Conference on Fairness. Accountability, and Transparency (FAccT 2022), Seoul, Republic of Korea, pp. 1895–1904. Association for Computing Machinery (2022) Patel, N., Shokri, R., Zick, Y.: Model explanations with differential privacy. In: 2022 ACM Conference on Fairness. Accountability, and Transparency (FAccT 2022), Seoul, Republic of Korea, pp. 1895–1904. Association for Computing Machinery (2022)
27.
Zurück zum Zitat Nguyen, T., Lai, P., Phan, H., Thai, M.: XRand: differentially private defense against explanation-guided attacks. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 10, pp. 11873–11881 (2023) Nguyen, T., Lai, P., Phan, H., Thai, M.: XRand: differentially private defense against explanation-guided attacks. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 10, pp. 11873–11881 (2023)
28.
Zurück zum Zitat Bozorgpanah, A., Torra, V., Aliahmadipour, L.: Privacy and explainability: the effects of data protection on Shapley values. Technologies 10(6), 125 (2022)CrossRef Bozorgpanah, A., Torra, V., Aliahmadipour, L.: Privacy and explainability: the effects of data protection on Shapley values. Technologies 10(6), 125 (2022)CrossRef
30.
Zurück zum Zitat Wang, G., Gehrke, J., Xiao, X.: Differential privacy via wavelet transforms. IEEE Trans. Knowl. Data Eng. 23(8), 1200–1214 (2011)CrossRef Wang, G., Gehrke, J., Xiao, X.: Differential privacy via wavelet transforms. IEEE Trans. Knowl. Data Eng. 23(8), 1200–1214 (2011)CrossRef
31.
Zurück zum Zitat Ito, S., Miura, T., Akatsuka, H., Terada, M.: Differential privacy and its applicability for official statistics in japan – a comparative study using small area data from the Japanese population census. In: Domingo-Ferrer, J., Muralidhar, K. (eds.) PSD 2020. LNCS, vol. 12276, pp. 337–352. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57521-2_24CrossRef Ito, S., Miura, T., Akatsuka, H., Terada, M.: Differential privacy and its applicability for official statistics in japan – a comparative study using small area data from the Japanese population census. In: Domingo-Ferrer, J., Muralidhar, K. (eds.) PSD 2020. LNCS, vol. 12276, pp. 337–352. Springer, Cham (2020). https://​doi.​org/​10.​1007/​978-3-030-57521-2_​24CrossRef
33.
Zurück zum Zitat Tritscher, J., Ring, M., Schlr, D., Hettinger, L., Hotho, A.: Evaluation of post-hoc XAI approaches through synthetic tabular data. In: Helic, D., Leitner, G., Stettinger, M., Felfernig, A., Raś, Z.W. (eds.) ISMIS 2020. LNCS (LNAI), vol. 12117, pp. 422–430. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59491-6_40CrossRef Tritscher, J., Ring, M., Schlr, D., Hettinger, L., Hotho, A.: Evaluation of post-hoc XAI approaches through synthetic tabular data. In: Helic, D., Leitner, G., Stettinger, M., Felfernig, A., Raś, Z.W. (eds.) ISMIS 2020. LNCS (LNAI), vol. 12117, pp. 422–430. Springer, Cham (2020). https://​doi.​org/​10.​1007/​978-3-030-59491-6_​40CrossRef
34.
Zurück zum Zitat Paszke, A., et al.: PyTorch: an imperative style, high-performance deep learning library. In: 33rd International Conference on Neural Information Processing Systems (NeurIPS 2019), Vancouver, Canada, pp. 8026–8037. Curran Associates Inc. (2019) Paszke, A., et al.: PyTorch: an imperative style, high-performance deep learning library. In: 33rd International Conference on Neural Information Processing Systems (NeurIPS 2019), Vancouver, Canada, pp. 8026–8037. Curran Associates Inc. (2019)
35.
Zurück zum Zitat Bottou, L.: On-line learning and stochastic approximations. On-Line Learn. Neural Netw. 9–42 (1999) Bottou, L.: On-line learning and stochastic approximations. On-Line Learn. Neural Netw. 9–42 (1999)
36.
Zurück zum Zitat Sutskever, I., Martens, J., Dahl, G., Hinton, G.: On the importance of initialization and momentum in deep learning. In: 30th International Conference on Machine Learning (ICML 2013), Atlanta, GA, USA, pp. 1139–1147. JMLR.org (2013) Sutskever, I., Martens, J., Dahl, G., Hinton, G.: On the importance of initialization and momentum in deep learning. In: 30th International Conference on Machine Learning (ICML 2013), Atlanta, GA, USA, pp. 1139–1147. JMLR.org (2013)
38.
Zurück zum Zitat Kingma, D., Ba, J.: Adam: a method for stochastic optimization. In: International Conference on Learning Representations (ICLR) (2015) Kingma, D., Ba, J.: Adam: a method for stochastic optimization. In: International Conference on Learning Representations (ICLR) (2015)
Metadaten
Titel
Combinations of AI Models and XAI Metrics Vulnerable to Record Reconstruction Risk
verfasst von
Ryotaro Toma
Hiroaki Kikuchi
Copyright-Jahr
2024
DOI
https://doi.org/10.1007/978-3-031-69651-0_22