In contrast to privacy attacks focussing on individuals in a training dataset (e.g., membership inference), Property Inference Attacks (PIAs) are aimed at extracting population-level properties from trained Machine Learning (ML) models. These sensitive properties are often based on ratios, such as the ratio of male to female records in a dataset. If a company has trained an ML model on customer data, a PIA could for example reveal the demographics of their customer base to a competitor, compromising a potential trade secret. For ratio-based properties, inferring over a continuous range using regression is more natural than classification. We therefore extend previous white-box and black-box attacks by modelling property inference as a regression problem. For the black-box attack we further reduce prior assumptions by using an arbitrary attack dataset, independent from a target model’s training data. We conduct experiments on three datasets for both white-box and black-box scenarios, indicating promising adversary performances in each scenario with a test R^2 between 0.6 and 0.86. We then present a new defense mechanism based on adversarial training that successfully inhibits our black-box attacks. This mechanism proves to be effective in reducing the adversary’s R^2 from 0.63 to 0.07 and induces practically no utility loss, with the accuracy of target models dropping by no more than 0.2 percentage points.
@inproceedings{stockPropertyInferenceRegression2024,title={Property {{Inference}} as a {{Regression Problem}}: {{Attacks}} and {{Defense}}},shorttitle={Property {{Inference}} as a {{Regression Problem}}},booktitle={21th {{International Conference}} on {{Security}} and {{Cryptography}} ({{SECRYPT}} 2024)},author={Stock, Joshua and Lange, Lucas and Rahm, Erhard and Federrath, Hannes},year={2024},month=jul,pages={876--885},publisher={SciTePress},doi={10.5220/0012863800003767},url={https://www.scitepress.org/PublicationsDetail.aspx?ID=VOY5GiNn9B4=&t=1},urldate={2024-08-06},code={https://github.com/joshua-stock/bb-pia},isbn={978-989-758-709-2},pdf={https://dbs.uni-leipzig.de/files/research/publications/proc\_paper.pdf},bibtexshow={true},selected={true}}
Generating Synthetic Health Sensor Data for Privacy-Preserving Wearable Stress Detection
Smartwatch health sensor data are increasingly utilized in smart health applications and patient monitoring, including stress detection. However, such medical data often comprise sensitive personal information and are resource-intensive to acquire for research purposes. In response to this challenge, we introduce the privacy-aware synthetization of multi-sensor smartwatch health readings related to moments of stress, employing Generative Adversarial Networks (GANs) and Differential Privacy (DP) safeguards. Our method not only protects patient information but also enhances data availability for research. To ensure its usefulness, we test synthetic data from multiple GANs and employ different data enhancement strategies on an actual stress detection task. Our GAN-based augmentation methods demonstrate significant improvements in model performance, with private DP training scenarios observing an 11.90–15.48% increase in F1-score, while non-private training scenarios still see a 0.45% boost. These results underline the potential of differentially private synthetic data in optimizing utility–privacy trade-offs, especially with the limited availability of real training samples. Through rigorous quality assessments, we confirm the integrity and plausibility of our synthetic data, which, however, are significantly impacted when increasing privacy requirements.
@article{langeGeneratingSyntheticHealth2024a,title={Generating {{Synthetic Health Sensor Data}} for {{Privacy-Preserving Wearable Stress Detection}}},author={Lange, Lucas and Wenzlitschke, Nils and Rahm, Erhard},year={2024},month=may,journal={Sensors},volume={24},number={10},pages={3052},publisher={{Multidisciplinary Digital Publishing Institute}},issn={1424-8220},doi={10.3390/s24103052},url={https://www.mdpi.com/1424-8220/24/10/3052},urldate={2024-05-13},code={https://github.com/luckyos-code/Privacy-Preserving-Smartwatch-Health-Data-Generation-Using-DP-GANs},copyright={http://creativecommons.org/licenses/by/3.0/},langid={english},pdf={https://www.mdpi.com/1424-8220/24/10/3052/pdf},keywords={differential privacy,generative adversarial network,physiological sensor data,privacy-preserving machine learning,smart health,smartwatch,stress recognition,synthetic data,time series},bibtexshow={true},selected={true}}
2023
Privacy-Preserving Stress Detection Using Smartwatch Health Data
Lucas Lange, Borislav Degenkolb, and Erhard Rahm
4. Interdisciplinary Privacy & Security at Large Workshop, INFORMATIK 2023 (Sep. 2023)
We present the first privacy-preserving approach for stress detection from wrist-worn wearables based on the Time-Series Classification Transformer (TSCT) architecture and incorporating Differential Privacy (DP) to ensure provable privacy guarantees. The non-private baseline results prove the TSCT to be an effective model for the given task. Our DP experiments then show that the private models suffer from reduced utility but can still be used for reliable stress detection depending on the application. Our proposed approach has potential applications in smart health, where it can be used to monitor smartwatch users’ stress levels without compromising their privacy and provide timely interventions or suggestions to prevent adverse health outcomes. Another primary contribution is our evaluation, which studies and shows negative effects of DP regarding model training. The results of this work provide perspectives for future research and applications whenever the fields of stress detection and data privacy intervene.
@inproceedings{langePrivacyPreservingStressDetection2023,title={Privacy-{{Preserving Stress Detection Using Smartwatch Health Data}}},booktitle={4. {{Interdisciplinary Privacy}} \& {{Security}} at {{Large Workshop}}, {{INFORMATIK}} 2023},author={Lange, Lucas and Degenkolb, Borislav and Rahm, Erhard},year={2023},month=sep,publisher={{Gesellschaft f{\"u}r Informatik e.V.}},doi={10.18420/inf2023_66},url={https://doi.org/10.18420/inf2023_66},urldate={2023-12-14},code={https://github.com/luckyos-code/Privacy-Preserving-Stress-Transformer},isbn={978-3-88579-731-9},langid={english},pdf={https://dl.gi.de/server/api/core/bitstreams/23387493-d22e-42e2-98f1-45d297d94628/content},bibtexshow={true},selected={false}}
Sentiment analysis is a crucial tool to evaluate customer opinion on products and services. However, analyzing social media data raises concerns about privacy violations since users may share sensitive information in their posts. In this work, we propose a privacy-preserving approach for sentiment analysis on Twitter data using Differential Privacy (DP). We first implement a non-private baseline model and assess the impact of various settings and preprocessing methods. We then extend this approach with DP under multiple privacy parameters ε = 0.1, 1, 10 and finally evaluate the usability of the resulting private models. Our results show that DP models can maintain high accuracy for the studied task. We contribute to the development of privacy-preserving machine learning for customer opinion analysis and provide insights into trade-offs between privacy and utility. The proposed approach helps protect sensitive information while still allowing for valuable insights to be gained from social media data.
@inproceedings{twitterplaceholder,title={Privacy-Preserving Sentiment Analysis on Twitter},booktitle={{{SKILL}} 2023},author={Vogel, Felix and Lange, Lucas},year={2023},month=sep,publisher={{Gesellschaft f{\"u}r Informatik e.V.}},code={https://github.com/felix2246/dp-sent-analysis-twitter},pdf={https://dbs.uni-leipzig.de/file/SKILL2023_private_twitter_sentiment-6.pdf},bibtexshow={true},selected={false}}
Privacy at Risk: Exploiting Similarities in Health Data for Identity Inference
Lucas Lange, Tobias Schreieder, Victor Christen, and Erhard Rahm
Smartwatches enable the efficient collection of health data that can be used for research and comprehensive analysis to improve the health of individuals. In addition to the analysis capabilities, ensuring privacy when handling health data is a critical concern as the collection and analysis of such data become pervasive. Since health data contains sensitive information, it should be handled with responsibility and is therefore often treated anonymously. However, also the data itself can be exploited to reveal information and break anonymity. We propose a novel similarity-based re-identification attack on time-series health data and thereby unveil a significant vulnerability. Despite privacy measures that remove identifying information, our attack demonstrates that a brief amount of various sensor data from a target individual is adequate to possibly identify them within a database of other samples, solely based on sensor-level similarities. In our example scenario, where data owners leverage health data from smartwatches, findings show that we are able to correctly link the target data in two out of three cases. User privacy is thus already inherently threatened by the data itself and even when removing personal information.
@misc{langePrivacyRiskExploiting2023,title={Privacy at {{Risk}}: {{Exploiting Similarities}} in {{Health Data}} for {{Identity Inference}}},shorttitle={Privacy at {{Risk}}},author={Lange, Lucas and Schreieder, Tobias and Christen, Victor and Rahm, Erhard},year={2023},month=aug,number={arXiv:2308.08310},eprint={2308.08310},primaryclass={cs},publisher={{arXiv}},doi={10.48550/arXiv.2308.08310},url={http://arxiv.org/abs/2308.08310},urldate={2023-10-17},archiveprefix={arxiv},code={https://github.com/tobiasschreieder/smartwatch-dtw-attack},pdf={https://arxiv.org/pdf/2308.08310.pdf},keywords={Computer Science - Cryptography and Security},bibtexshow={true},selected={true}}
Privacy in Practice: Private COVID-19 Detection in X-Ray Images
Lucas Lange, Maja Schneider, Peter Christen, and Erhard Rahm
20th International Conference on Security and Cryptography (SECRYPT 2023) (Jul. 2023)
Machine learning (ML) can help fight pandemics like COVID-19 by enabling rapid screening of large volumes of images. To perform data analysis while maintaining patient privacy, we create ML models that satisfy Differential Privacy (DP). Previous works exploring private COVID-19 models are in part based on small datasets, provide weaker or unclear privacy guarantees, and do not investigate practical privacy. We suggest improvements to address these open gaps. We account for inherent class imbalances and evaluate the utility-privacy trade-off more extensively and over stricter privacy budgets. Our evaluation is supported by empirically estimating practical privacy through black-box Membership Inference Attacks (MIAs). The introduced DP should help limit leakage threats posed by MIAs, and our practical analysis is the first to test this hypothesis on the COVID-19 classification task. Our results indicate that needed privacy levels might differ based on the task-dependent practical threat from MIAs. The results further suggest that with increasing DP guarantees, empirical privacy leakage only improves marginally, and DP therefore appears to have a limited impact on practical MIA defense. Our findings identify possibilities for better utility-privacy trade-offs, and we believe that empirical attack-specific privacy estimation can play a vital role in tuning for practical privacy.
@inproceedings{langePrivacyPracticePrivate2023a,title={Privacy in {{Practice}}: {{Private COVID-19 Detection}} in {{X-Ray Images}}},booktitle={20th {{International Conference}} on {{Security}} and {{Cryptography}} ({{SECRYPT}} 2023)},author={Lange, Lucas and Schneider, Maja and Christen, Peter and Rahm, Erhard},year={2023},month=jul,pages={624--633},publisher={{SciTePress}},doi={10.5220/0012048100003555},url={https://doi.org/10.5220/0012048100003555},urldate={2023-07-21},code={https://github.com/luckyos-code/mia-covid},isbn={978-989-758-666-8},pdf={https://dbs.uni-leipzig.de/files/research/publications/2023-7/pdf/proc_paper.pdf},keywords={COVID-19 Detection,Differential Privacy,Differentially-Private Stochastic Gradient Descent,Membership Inference Attack,Practical Privacy,Privacy-Preserving Machine Learning},bibtexshow={true},selected={false}}
2022
Privacy in Practice: Private COVID-19 Detection in X-Ray Images (Extended Version)
Lucas Lange, Maja Schneider, Peter Christen, and Erhard Rahm
Machine learning (ML) can help fight pandemics like COVID-19 by enabling rapid screening of large volumes of images. To perform data analysis while maintaining patient privacy, we create ML models that satisfy Differential Privacy (DP). Previous works exploring private COVID-19 models are in part based on small datasets, provide weaker or unclear privacy guarantees, and do not investigate practical privacy. We suggest improvements to address these open gaps. We account for inherent class imbalances and evaluate the utility-privacy trade-off more extensively and over stricter privacy budgets. Our evaluation is supported by empirically estimating practical privacy through black-box Membership Inference Attacks (MIAs). The introduced DP should help limit leakage threats posed by MIAs, and our practical analysis is the first to test this hypothesis on the COVID-19 classification task. Our results indicate that needed privacy levels might differ based on the task-dependent practical threat from MIAs. The results further suggest that with increasing DP guarantees, empirical privacy leakage only improves marginally, and DP therefore appears to have a limited impact on practical MIA defense. Our findings identify possibilities for better utility-privacy trade-offs, and we believe that empirical attack-specific privacy estimation can play a vital role in tuning for practical privacy.
@misc{langePrivacyPracticePrivate2022,title={Privacy in {{Practice}}: {{Private COVID-19 Detection}} in {{X-Ray Images}} ({{Extended Version}})},author={Lange, Lucas and Schneider, Maja and Christen, Peter and Rahm, Erhard},year={2022},month=nov,number={arXiv:2211.11434},eprint={2211.11434},primaryclass={cs},publisher={{arXiv}},doi={10.48550/arXiv.2211.11434},url={http://arxiv.org/abs/2211.11434},urldate={2023-06-01},archiveprefix={arxiv},code={https://github.com/luckyos-code/mia-covid},pdf={https://arxiv.org/pdf/2211.11434.pdf},keywords={Computer Science - Computer Vision and Pattern Recognition,Computer Science - Cryptography and Security,Computer Science - Machine Learning},bibtexshow={true},selected={false}}
2020
SentArg: A Hybrid Doc2Vec/DPH Model with Sentiment Analysis Refinement
In this work we explore the yet untested inclusion of sentiment analysis in the argument ranking process. By utilizing a word embedding model we create document embeddings for all queries and arguments. These are compared with each other to calculate top-N argument context scores for each query. We also calculate top-N DPH scores with the Terrier Framework. This way, each query receives two lists of top-N arguments. Afterwards we form an intersection of both argument lists and sort the result by the DPH scores. To further increase the ranking quality, we sort the final arguments of each query by sentiment values. Our findings ultimately imply that rewarding neutral sentiments can decrease the quality of the retrieval outcome.
@inproceedings{staudteSentArgHybridDoc2Vec2020,title={{{SentArg}}: {{A Hybrid Doc2Vec}}/{{DPH Model}} with {{Sentiment Analysis Refinement}}},booktitle={{{CLEF}} 2020 {{Working Notes}}},author={Staudte, Christian and Lange, Lucas},editor={Cappellato, Linda and Eickhoff, Carsten and Ferro, Nicola and N{\'e}v{\'e}ol, Aur{\'e}lie},year={2020},month=sep,series={{{CEUR Workshop Proceedings}}},volume={2696},publisher={{CEUR}},address={{Thessaloniki, Greece}},issn={1613-0073},url={http://ceur-ws.org/Vol-2696/#paper_191},urldate={2022-10-20},code={https://github.com/luckyos-code/ArgU},langid={english},pdf={https://ceur-ws.org/Vol-2696/paper\_191.pdf},bibtexshow={true},selected={false}}