Ana-Maria Cretu

Ana-Maria Cretu

Ph.D. Student in Computing

Ana-Maria Cretu is a final year PhD candidate in the Computational Privacy Group at Imperial College London, advised by Dr. Yves-Alexandre de Montjoye. Her research lies at the intersection between machine learning, privacy, and security. She studies privacy and security vulnerabilities in data processing technologies: machine learning models, query-based systems, and perceptual hashing-based client-side scanning, through the lens of automated attacks. Through a rigorous study of privacy vulnerabilities, her research can inform the design of principled countermeasures allowing to prevent them and, ultimately, to use data safely.
Prior to starting her PhD, she obtained an MSc in Computer Science from EPFL, Switzerland, and the Diplome d’Ingénieur de l’Ecole Polytechnique (equivalent to a Bachelors and Master’s degree) from Ecole Polytechnique, France. At Ecole Polytechnique, She studied Pure and Applied Mathematics and Computer Science, and specialized in Data Science. Towards completion of her EPFL MSc degree, she did my Master Thesis in the Department of Computer Science at the University of Oxford under the supervision of Prof. Thomas Lukasiewicz, and in close collaboration with Dr. Oana-Maria Camburu. Her research there was on 1) developing deep learning-based approaches to solve the Winograd Schema Challenge and on 2) developing sentence representation models with the goal of improving interpretability and performance on a set of benchmark natural language processing tasks.
In the summer of 2022, she was a research intern in the Microsoft Research Confidential Computing team (Cambridge, UK). She worked on the privacy of machine learning models with Shruti Tople and Daniel Jones. In the summer of 2020, She was a research intern at Twitter (London, UK) in the graph learning team. She worked with Dr. Davide Eynard on the privacy of Twitter graph data. In 2017, she did a summer internship at Google (Boulder, Colorado, USA), in the Payments Compliance Engineering Team, where she was supervised by Craig Wright. In 2016, I did a 5-month internship at Google (Paris, France), where she was supervised by Dr. Sertan Girgin.

Scroll down for more details...

QuerySnout: Automating the Discovery of Attribute Inference Attacks against Query-Based Systems

Lightning Talk

Attribute Inference Attacks; Query-Based Systems

Query-based systems (QBS), controlled interfaces through which analysts can query a database, have the potential to enable privacy-preserving anonymous data analysis at scale. Building QBSs that robustly protect the privacy of individuals contributing to the dataset is however a hard problem. Theoretical solutions relying on differential privacy guarantees are difficult to implement correctly with reasonable accuracy, while ad-hoc solutions might contain unknown vulnerabilities. Evaluating the privacy provided by QBSs must thus be done by evaluating the accuracy of a wide range of privacy attacks. However, existing attacks require time and expertise to develop, need to be manually tailored to the specific systems attacked, and are limited in scope. In this paper, we develop QuerySnout (QS), the first method to automatically discover vulnerabilities in QBSs. QS takes as input a target record and the QBS as a black box, analyzes its behavior on one or more datasets, and outputs a multiset of queries together with a rule to combine answers to them in order to reveal the sensitive attribute of the target record. QS uses evolutionary search techniques based on a novel mutation operator to find a multiset of queries susceptible to lead to an attack, and a machine learning classifier to infer the sensitive attribute from answers to the queries selected. We showcase the versatility of QS by applying it to two attack scenarios, three real-world datasets, and a variety of protection mechanisms. We show the attacks found by QS to consistently equate or outperform, sometimes by a large margin, the best attacks from the literature. We finally show how QS can be extended to QBSs that require a budget, and apply QS to a simple QBS based on the Laplace mechanism. Taken together, our results show how powerful and accurate attacks against QBSs can already be found by an automated system, allowing for highly complex QBSs to be automatically tested “at the pressing of a button”.