Haonan Shi,Tu Ouyang,An Wang

2024-07-09

Abstract:Machine learning models, in particular deep neural networks, are currently an integral part of various applications, from healthcare to finance. However, using sensitive data to train these models raises concerns about privacy and security. One method that has emerged to verify if the trained models are privacy-preserving is Membership Inference Attacks (MIA), which allows adversaries to determine whether a specific data point was part of a model's training dataset. While a series of MIAs have been proposed in the literature, only a few can achieve high True Positive Rates (TPR) in the low False Positive Rate (FPR) region (0.01%~1%). This is a crucial factor to consider for an MIA to be practically useful in real-world settings. In this paper, we present a novel approach to MIA that is aimed at significantly improving TPR at low FPRs. Our method, named learning-based difficulty calibration for MIA(LDC-MIA), characterizes data records by their hardness levels using a neural network classifier to determine membership. The experiment results show that LDC-MIA can improve TPR at low FPR by up to 4x compared to the other difficulty calibration based MIAs. It also has the highest Area Under ROC curve (AUC) across all datasets. Our method's cost is comparable with most of the existing MIAs, but is orders of magnitude more efficient than one of the state-of-the-art methods, LiRA, while achieving similar performance.

Cryptography and Security,Artificial Intelligence,Machine Learning

Meiyi Zhu,Caili Guo,Chunyan Feng,Osvaldo Simeone

2024-08-16

Abstract:In a membership inference attack (MIA), an attacker exploits the overconfidence exhibited by typical machine learning models to determine whether a specific data point was used to train a target model. In this paper, we analyze the performance of the state-of-the-art likelihood ratio attack (LiRA) within an information-theoretical framework that allows the investigation of the impact of the aleatoric uncertainty in the true data generation process, of the epistemic uncertainty caused by a limited training data set, and of the calibration level of the target model. We compare three different settings, in which the attacker receives decreasingly informative feedback from the target model: confidence vector (CV) disclosure, in which the output probability vector is released; true label confidence (TLC) disclosure, in which only the probability assigned to the true label is made available by the model; and decision set (DS) disclosure, in which an adaptive prediction set is produced as in conformal prediction. We derive bounds on the advantage of an MIA adversary with the aim of offering insights into the impact of uncertainty and calibration on the effectiveness of MIAs. Simulation results demonstrate that the derived analytical bounds predict well the effectiveness of MIAs.

Information Theory,Cryptography and Security,Machine Learning,Signal Processing

Shuwen Liu,Yongfeng Qian,Yixue Hao

DOI: https://doi.org/10.1109/dsn-s60304.2024.00046

2024-01-01

Abstract:The growing prominence of transfer learning in domains such as healthcare and finance highlights its efficacy in enhancing machine learning models. However, conventional membership inference attacks (MIA) often struggle to perform well when applied to transfer learning models trained under normal fit. To address this challenge, we propose a novel approach called PC-MIA. This approach involves generating multiple poisoned reference models using toxic samples. These poisoned models are then utilized to calibrate the difficulty of samples and reveal their true hardness, thereby enhancing the accuracy of MIA. Through empirical evaluations conducted on real-world datasets and employing diverse model architectures, our approach demonstrates its ability to significantly improve the accuracy of membership inference.

Wenjie Fu,Huandong Wang,Chen Gao,Guanghua Liu,Yong Li,Tao Jiang

2024-06-25

Abstract:Membership Inference Attacks (MIA) aim to infer whether a target data record has been utilized for model training or not. Prior attempts have quantified the privacy risks of language models (LMs) via MIAs, but there is still no consensus on whether existing MIA algorithms can cause remarkable privacy leakage on practical Large Language Models (LLMs). Existing MIAs designed for LMs can be classified into two categories: reference-free and reference-based attacks. They are both based on the hypothesis that training records consistently strike a higher probability of being sampled. Nevertheless, this hypothesis heavily relies on the overfitting of target models, which will be mitigated by multiple regularization methods and the generalization of LLMs. The reference-based attack seems to achieve promising effectiveness in LLMs, which measures a more reliable membership signal by comparing the probability discrepancy between the target model and the reference model. However, the performance of reference-based attack is highly dependent on a reference dataset that closely resembles the training dataset, which is usually inaccessible in the practical scenario. Overall, existing MIAs are unable to effectively unveil privacy leakage over practical fine-tuned LLMs that are overfitting-free and private. We propose a Membership Inference Attack based on Self-calibrated Probabilistic Variation (SPV-MIA). Specifically, since memorization in LLMs is inevitable during the training process and occurs before overfitting, we introduce a more reliable membership signal, probabilistic variation, which is based on memorization rather than overfitting. Furthermore, we introduce a self-prompt approach, which constructs the dataset to fine-tune the reference model by prompting the target LLM itself. In this manner, the adversary can collect a dataset with a similar distribution from public APIs.

Computation and Language,Cryptography and Security,Machine Learning

Yucheng Long,Zuobin Ying,Hongyang Yan,Hongyang Yan,Ranqing Fang,Xingyu Li,Yajie Wang,Zijie Pan

DOI: https://doi.org/10.1016/j.ins.2023.03.008

IF: 8.1

2023-07-01

Information Sciences

Abstract:To further enhance the reliability of Machine Learning (ML) systems, considerable efforts have been dedicated to developing privacy protection techniques. Recently, membership privacy has gained increasing attention, with a focus on determining whether a specific data point is present in the confidential training set of an ML model. However, most current attacks only prioritize attack accuracy and fail to extend their range to the evidence that contributes to the member/non-member classification. This limitation greatly reduces the practicality of Membership Inference Attacks (MIA), as real-world data typically includes multiple features, making it challenging to identify which features are involved in the sensitive training set. Therefore, this paper targets one of the fundamental challenges in membership inference attack: measuring the distance between an attack sample and a member sample. Specifically, we propose a novel threat model called Membership Reconstruction Attack (MRA), which aims to reconstruct the exact distribution of the target training set. MRA achieves this by marking each input dimension (e.g., pixels) according to its similarity to the target dataset in feature space. Our attack demonstrates its effectiveness across various settings, including different major datasets (MNIST, CIFAR-10, CIFAR-100) and different model architectures (AlexNet, ResNet, DenseNet, and generative models). Additionally, we evaluate MRA from the defenders' perspective and test several defense approaches against our attack.

computer science, information systems

Shahbaz Rezaei,Xin Liu

DOI: https://doi.org/10.48550/arXiv.2212.02701

2022-12-06

Cryptography and Security

Abstract:With the wide-spread application of machine learning models, it has become critical to study the potential data leakage of models trained on sensitive data. Recently, various membership inference (MI) attacks are proposed to determine if a sample was part of the training set or not. The question is whether these attacks can be reliably used in practice. We show that MI models frequently misclassify neighboring nonmember samples of a member sample as members. In other words, they have a high false positive rate on the subpopulations of the exact member samples that they can identify. We then showcase a practical application of MI attacks where this issue has a real-world repercussion. Here, MI attacks are used by an external auditor (investigator) to show to a judge/jury that an auditee unlawfully used sensitive data. Due to the high false positive rate of MI attacks on member's subpopulations, auditee challenges the credibility of the auditor by revealing the performance of the MI attacks on these subpopulations. We argue that current membership inference attacks can identify memorized subpopulations, but they cannot reliably identify which exact sample in the subpopulation was used during the training.

Florent Guépin,Nataša Krčo,Matthieu Meeus,Yves-Alexandre de Montjoye

2024-05-24

Abstract:Membership Inference Attacks (MIAs) are widely used to evaluate the propensity of a machine learning (ML) model to memorize an individual record and the privacy risk releasing the model poses. MIAs are commonly evaluated similarly to ML models: the MIA is performed on a test set of models trained on datasets unseen during training, which are sampled from a larger pool, $D_{eval}$. The MIA is evaluated across all datasets in this test set, and is thus evaluated across the distribution of samples from $D_{eval}$. While this was a natural extension of ML evaluation to MIAs, recent work has shown that a record's risk heavily depends on its specific dataset. For example, outliers are particularly vulnerable, yet an outlier in one dataset may not be one in another. The sources of randomness currently used to evaluate MIAs may thus lead to inaccurate individual privacy risk estimates. We propose a new, specific evaluation setup for MIAs against ML models, using weight initialization as the sole source of randomness. This allows us to accurately evaluate the risk associated with the release of a model trained on a specific dataset. Using SOTA MIAs, we empirically show that the risk estimates given by the current setup lead to many records being misclassified as low risk. We derive theoretical results which, combined with empirical evidence, suggest that the risk calculated in the current setup is an average of the risks specific to each sampled dataset, validating our use of weight initialization as the only source of randomness. Finally, we consider an MIA with a stronger adversary leveraging information about the target dataset to infer membership. Taken together, our results show that current MIA evaluation is averaging the risk across datasets leading to inaccurate risk estimates, and the risk posed by attacks leveraging information about the target dataset to be potentially underestimated.

Machine Learning,Cryptography and Security

Shi Chen,Wennan Wang,Yubin Zhong,Zuobin Ying,Weixuan Tang,Zijie Pan

DOI: https://doi.org/10.1016/j.cose.2023.103571

IF: 5.105

2023-11-02

Computers & Security

Abstract:Membership Inference Attacks (MIAs) have been considered as one of the major privacy threats in recent years, especially in machine learning models. Most canonical MIAs identify whether a specific data point was presented in the confidential training set of a neural network by analyzing its output pattern on such data point. However, these methods heavily rely on overfitting and are difficult to achieve high precision. Although some recent works, such as difficulty calibration techniques, have try to tackle this problem in a tentative manner, identifying members with high precision is still a difficult task. To address above challenge, in this paper we rethink how overfitting impacts MIA and argue that it can provide much clearer signals of non-member samples. In scenarios where the cost of launching an attack is high, such signals can avoid unnecessary attacks and reduce the attack's false positive rate. Based on our observation, we propose High-Precision MIA (HP-MIA), a novel two-stage attack scheme that leverages membership exclusion techniques to guarantee high membership prediction precision. Our empirical results have illustrated that our two-stage attack can significantly increase the number of identified members while guaranteeing high precision.

computer science, information systems

Zheng Li,Yang Zhang

DOI: https://doi.org/10.1051/sands/2024017

2024-01-01

Security and Safety

Abstract:Machine learning (ML) has made significant strides in various tasks, largely due to the availability of large-scale datasets. However, these datasets often contain sensitive information, posing serious privacy risks. Membership inference attacks (MIAs) exploit these risks by determining whether a specific data sample was used to train an ML model, potentially leading to significant data leaks. This paper reviews the current state of MIAs, examining their principles, threat models, and methodologies. Additionally, this paper discusses the limitations and challenges in existing research and proposes future directions to improve the robustness and privacy of ML models.

Xihua Ma,Youliang Tian,Zehua Ding

DOI: https://doi.org/10.1109/nana60121.2023.00100

2023-01-01

Abstract:Machine learning (ML) models are susceptible to membership inference attacks (MIAs), which aim to infer whether a particular sample was involved in model training. Previous research suggests that the difference in loss distribution between member and non-member sample is an essential factor of MIAs. In the latest mitigation strategies to reduce the loss distribution discrepancy, the model owner must manually set a loss target for the training task. However, this can be challenging due to differences in datasets and model structures. We propose a new mitigation strategy based on existing studies, which can dynamically adjust the loss target during the training process according to the model structure and dataset characteristics, to achieve a reduced loss gap. We extensively evaluated our strategy in white-box and black-box environments, respectively. Our experimental results show that our approach avoids the problem of setting loss targets and even improves the model's resistance to attacks in most cases. Specifically, the accuracy of the attacks is reduced by an average of 4.92% and 11.3% in the black-box and white-box environments, respectively.

NIU Jun,MA Xiaoji,CHEN Ying,ZHANG Ge,HE Zhipeng,HOU Zhexian,ZHU Xiaoyan,WU Gaofei,CHEN Kai,ZHANG Yuqing

DOI: https://doi.org/10.19363/J.cnki.cn10-1380/tn.2022.11.01

2022-01-01

Journal of Cyber Security

Abstract:The newly emerged machine learning（ML） methods have been widely applied to various applications, and have become a strong driving force to revolutionize a wide range of industries, which have greatly promoted the prosperity and development of artificial intelligence. Meanwhile, the training and inference of the machine learning model are based on a large amount of data, which always contains some private information. And the privacy and security of the ML has faced serious challenges. Membership inference attacks（MIAs） mainly aim to infer whether a data record was used to train a target model or not. MIAs have not only been shown to be effective on various ML models（e.g., classification models and generative models）, but also have been penetrated into the fields of image classification, speech recognition, natural language processing, computer vision and so on, which creates a great security threat to the long-term development of machine learning.Therefore, in order to better improve the security of ML models for membership inference attacks, in this paper, we systematically introduce and analyze the basic principles and characteristics of the MIAs and their defenses from a ML attack-defense perspective. Firstly, we introduce the definitions and threat models of the MIAs, and classify these MIAs from six different perspectives such as attacks’ principles, scenarios, background knowledge, target models, fields and the size of attack datasets, and we compare their advantages and disadvantages. Secondly, we summary the reasons caused the MIAs from three aspects, namely diversity of training data, types of target models and overfitting of target models. Thirdly, we survey defensive techniques for MIAs as well as their characteristics by differential privacy, regularization, data argumentation,model stacking, early stopping, confidence score masking and knowledge distillation. Futhermore, we institute the evaluation metrics and datasets used in MIAs, and the other applications of the MIAs. Finally, by comparing and analyzing the existing MIAs and their defenses, we discuss the challenges and future research directions.

Chumeng Liang,Jiaxuan You

2024-10-05

Abstract:Membership inference attacks (MIAs) on diffusion models have emerged as potential evidence of unauthorized data usage in training pre-trained diffusion models. These attacks aim to detect the presence of specific images in training datasets of diffusion models. Our study delves into the evaluation of state-of-the-art MIAs on diffusion models and reveals critical flaws and overly optimistic performance estimates in existing MIA evaluation. We introduce CopyMark, a more realistic MIA benchmark that distinguishes itself through the support for pre-trained diffusion models, unbiased datasets, and fair evaluation pipelines. Through extensive experiments, we demonstrate that the effectiveness of current MIA methods significantly degrades under these more practical conditions. Based on our results, we alert that MIA, in its current state, is not a reliable approach for identifying unauthorized data usage in pre-trained diffusion models. To the best of our knowledge, we are the first to discover the performance overestimation of MIAs on diffusion models and present a unified benchmark for more realistic evaluation. Our code is available on GitHub: \url{<a class="link-external link-https" href="https://github.com/caradryanl/CopyMark" rel="external noopener nofollow">this https URL</a>}.

Machine Learning

Jiacheng Li,Ninghui Li,Bruno Ribeiro

DOI: https://doi.org/10.1145/3422337.3447836

2021-02-03

Abstract:We study the membership inference (MI) attack against classifiers, where the attacker's goal is to determine whether a data instance was used for training the classifier. Through systematic cataloging of existing MI attacks and extensive experimental evaluations of them, we find that a model's vulnerability to MI attacks is tightly related to the generalization gap -- the difference between training accuracy and test accuracy. We then propose a defense against MI attacks that aims to close the gap by intentionally reduces the training accuracy. More specifically, the training process attempts to match the training and validation accuracies, by means of a new {\em set regularizer} using the Maximum Mean Discrepancy between the softmax output empirical distributions of the training and validation sets. Our experimental results show that combining this approach with another simple defense (mix-up training) significantly improves state-of-the-art defense against MI attacks, with minimal impact on testing accuracy.

Cryptography and Security,Machine Learning

Zheng Zhang,Jianfeng Ma,Xindi Ma,Ruikang Yang,Xiangyu Wang,Junying Zhang

DOI: https://doi.org/10.1016/j.ins.2024.120636

IF: 8.1

2024-04-19

Information Sciences

Abstract:Large-capacity machine learning models are vulnerable to membership inference attacks that disclose the privacy of the training dataset. The privacy concerns posed by membership inference attacks have inspired many defense strategies.Unfortunately, they have various limitations: 1) failing to achieve a high-quality tradeoff between membership privacy and model utility. 2) Providing little flexibility to users. This paper proposes Repair-Membership Learning(RM Learning), a simple but effective defense mechanism. RM Learning mitigates membership inference attacks by giving each sample of the training dataset an appropriate soft label to reduce the loss gap between the training and testing datasets of the model. Meanwhile, RM Learning controls the distinguishability between the training and testing datasets by limiting the model's loss gap over them with an adjustable parameter λ to give users flexibility. We evaluated the RM Learning algorithm on four datasets with seven models and compared it with three state-of-the-art methods. For instance, we reduce the effectiveness of black-box and white-box membership inference attacks to about 50.0%, with a loss of less than 1.3% of testing accuracy, for the CIFAR10 dataset with the ResNet18 model.

computer science, information systems

Haritz Puerto,Martin Gubri,Sangdoo Yun,Seong Joon Oh

2024-11-01

Abstract:Membership inference attacks (MIA) attempt to verify the membership of a given data sample in the training set for a model. MIA has become relevant in recent years, following the rapid development of large language models (LLM). Many are concerned about the usage of copyrighted materials for training them and call for methods for detecting such usage. However, recent research has largely concluded that current MIA methods do not work on LLMs. Even when they seem to work, it is usually because of the ill-designed experimental setup where other shortcut features enable "cheating." In this work, we argue that MIA still works on LLMs, but only when multiple documents are presented for testing. We construct new benchmarks that measure the MIA performances at a continuous scale of data samples, from sentences (n-grams) to a collection of documents (multiple chunks of tokens). To validate the efficacy of current MIA approaches at greater scales, we adapt a recent work on Dataset Inference (DI) for the task of binary membership detection that aggregates paragraph-level MIA features to enable MIA at document and collection of documents level. This baseline achieves the first successful MIA on pre-trained and fine-tuned LLMs.

Computation and Language,Artificial Intelligence,Machine Learning

Mauro Conti,Jiaxin Li,Stjepan Picek

DOI: https://doi.org/10.48550/arXiv.2210.16258

2022-10-28

Cryptography and Security

Abstract:Membership Inference Attacks (MIAs) infer whether a data point is in the training data of a machine learning model. It is a threat while being in the training data is private information of a data point. MIA correctly infers some data points as members or non-members of the training data. Intuitively, data points that MIA accurately detects are vulnerable. Considering those data points may exist in different target models susceptible to multiple MIAs, the vulnerability of data points under multiple MIAs and target models is worth exploring. This paper defines new metrics that can reflect the actual situation of data points' vulnerability and capture vulnerable data points under multiple MIAs and target models. From the analysis, MIA has an inference tendency to some data points despite a low overall inference performance. Additionally, we implement 54 MIAs, whose average attack accuracy ranges from 0.5 to 0.9, to support our analysis with our scalable and flexible platform, Membership Inference Attacks Platform (VMIAP). Furthermore, previous methods are unsuitable for finding vulnerable data points under multiple MIAs and different target models. Finally, we observe that the vulnerability is not characteristic of the data point but related to the MIA and target model.

Eric Aubinais,Elisabeth Gassiat,Pablo Piantanida

2024-06-11

Abstract:Membership inference attacks (MIA) can reveal whether a particular data point was part of the training dataset, potentially exposing sensitive information about individuals. This article provides theoretical guarantees by exploring the fundamental statistical limitations associated with MIAs on machine learning models. More precisely, we first derive the statistical quantity that governs the effectiveness and success of such attacks. We then theoretically prove that in a non-linear regression setting with overfitting algorithms, attacks may have a high probability of success. Finally, we investigate several situations for which we provide bounds on this quantity of interest. Interestingly, our findings indicate that discretizing the data might enhance the algorithm's security. Specifically, it is demonstrated to be limited by a constant, which quantifies the diversity of the underlying data distribution. We illustrate those results through two simple simulations.

Machine Learning,Artificial Intelligence

Zhihao Zhu,Chenwang Wu,Rui Fan,Defu Lian,Enhong Chen

DOI: https://doi.org/10.1145/3543507.3583447

2023-01-01

Abstract:Recent studies have demonstrated the vulnerability of recommender systems to membership inference attacks, which determine whether a user’s historical data was utilized for model training, posing serious privacy leakage issues. Existing works assumed that member and non-member users follow different recommendation modes, and then infer membership based on the difference vector between the user’s historical behaviors and the recommendation list. The previous frameworks are invalid against inductive recommendations, such as sequential recommendations, since the disparities of difference vectors constructed by the recommendations between members and non-members become imperceptible. This motivates us to dig deeper into the target model. In addition, most MIA frameworks assume that they can obtain some in-distribution data from the same distribution of the target data, which is hard to gain in recommender system. To address these difficulties, we propose a Membership Inference Attack framework against sequential recommenders based on Model Extraction(ME-MIA). Specifically, we train a surrogate model to simulate the target model based on two universal loss functions. For a given behavior sequence, the loss functions ensure the recommended items and corresponding rank of the surrogate model are consistent with the target model’s recommendation. Due to the special training mode of the surrogate model, it is hard to judge which user is its member(non-member). Therefore, we establish a shadow model and use shadow model’s members(non-members) to train the attack model later. Next, we build a user feature generator to construct representative feature vectors from the shadow(surrogate) model. The crafting feature vectors are finally input into the attack model to identify users’ membership. Furthermore, to tackle the high cost of obtaining in-distribution data, we develop two variants of ME-MIA, realizing data-efficient and even data-free MIA by fabricating authentic in-distribution data. Notably, the latter is impossible in the previous works. Finally, we evaluate ME-MIA against multiple sequential recommendation models on three real-world datasets. Experimental results show that ME-MIA and its variants can achieve efficient extraction and outperform state-of-the-art algorithms in terms of attack performance.

Yiyong Liu,Zhengyu Zhao,Michael Backes,Yang Zhang

DOI: https://doi.org/10.1145/3548606.3560684

2022-01-01

Abstract:Machine learning models are vulnerable to membership inference attacks in which an adversary aims to predict whether or not a particular sample was contained in the target model's training dataset. Existing attack methods have commonly exploited the output information (mostly, losses) solely from the given target model. As a result, in practical scenarios where both the member and non-member samples yield similarly small losses, these methods are naturally unable to differentiate between them. To address this limitation, in this paper, we propose a new attack method, called TrajectoryMIA, which can exploit the membership information from the whole training process of the target model for improving the attack performance. To mount the attack in the common black-box setting, we leverage knowledge distillation, and represent the membership information by the losses evaluated on a sequence of intermediate models at different distillation epochs, namely distilled loss trajectory, together with the loss from the given target model. Experimental results over different datasets and model architectures demonstrate the great advantage of our attack in terms of different metrics. For example, on CINIC-10, our attack achieves at least 6 times higher true-positive rate at a low false-positive rate of 0.1% than existing methods. Further analysis demonstrates the general effectiveness of our attack in more strict scenarios.

Ben Niu,Jingwei Sun,Yahong Chen,Likun Zhang,Jin Cao,Kui Geng,Fenghua Li

DOI: https://doi.org/10.1109/swc57546.2023.10448806

2023-01-01

Abstract:Existing works have demonstrated that machine learning models may leak sensitive information of the training set to adversaries who launch the membership inference attacks (MIAs). Most of the existing studies on MIAs focus on improving the accuracy of attacks and relaxing assumptions about adversaries, and lack systematical evaluation on the impact of adversarial factors on MIAs. In this paper, we implement several recent attacks and compare their performance to study the importance of seven typical factors, including four background knowledge and three attack parameters. Specifically, we classify these factors according to the target model, the shadow model and the attack model. In our experiments, we use five datasets, CIFAR-100, CIFAR-10, MNIST, Purchase and Location to evaluate the performance of different MIAs with varied factors. Results indicate that factors about the shadow model structure, training data distribution and the target model output exert the dominant impact on the attack performance. We further explore and interpret how these dominant factors affect the success rate of MIAs through experimental analysis.