Articulo Revista Indexada
Social IoT Approach to Cyber Defense of a Deep-Learning-Based Recognition System in front of Media Clones Generated by Model Inversion Attack
Registro en:
M. Khosravy et al., "Social IoT Approach to Cyber Defense of a Deep-Learning-Based Recognition System in Front of Media Clones Generated by Model Inversion Attack," in IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 53, no. 5, pp. 2694-2704, May 2023, doi: 10.1109/TSMC.2022.3220080.
2168-2216
Autor
Khosravy, Mahdi
Nakamura, Kazuaki
Nitta, Naoko
Dey, Nilanjan
González-Crespo, Rubén
Herrera-Viedma, Enrique
Babaguchi, Noboru
Institución
Resumen
Model inversion attack (MIA) is a cyber threat with an increasing alert even for deep-learning-based recognition systems (DLRSs). By targeting a DLRS under a scenario of attacker access to the model structure and parameters, MIA generates a data clone for a certain targeted class label. To avoid the possible threats of such MIA-generated data clones, this research work proposes a social IoT approach to a collaborative cyber-defense among the online recognition systems (RSs) sharing the targeted class label. Since, the generation of an MIA-clone is by targeting an RS model and using its structure, parameters, and class labels output scores in an iterative optimization process, the generated clone is partially inherent to the targeted model. Thus, it is expected for an MIA-clone to show a different performance on a secondary RS wherein the same targeted class label is included. It is because, in the MIA generation of the clone, not only the targeted class label but also other class labels, and model parameters and structure affect the process, while the second model has just the targeted class label in common with the target model. Deploying the Social Internet of Recognition Systems (SIoRS), the proposed technique utilizes a collaborative recognition by SIoRC which plays the role of a complementary recognition besides the targeted RS. The recognition output by the targeted RS is further verified by the SIoRS complementary recognition result. To avoid the MIA-targeted data clones, the verification of recognition is by the log-likelihood ratio test between the targeted RS and the SIoRS complementary recognition confidence scores. The proposed technique is evaluated by statistical analysis on deep face RSs in 10000 Monte Carlo runs for each of the conventional, dc-generative adversarial network (GAN) and $\alpha $ -GAN integrated MIA techniques in targeting two different user identities. The $Z$ scores of the fitted normal distribution of the log-likelihood ratios indicate almost 100% detection rate of clones generated by conventional MIA and 95.23% and 86% of clones, respectively, generated by DC-GAN and $\alpha $ -GAN integrated deep MIA techniques.