Li Hu,Anli Yan,Hongyang Yan,Jin Li,Teng Huang,Yingying Zhang,Changyu Dong,Chunsheng Yang

DOI: https://doi.org/10.1145/3620667

IF: 16.6

2023-09-18

ACM Computing Surveys

Abstract:Machine learning (ML) has gained widespread adoption in a variety of fields, including computer vision and natural language processing. However, ML models are vulnerable to membership inference attacks (MIAs), which can infer whether access data was used in training a target model, thus compromising the privacy of training data. This has led researchers to focus on protecting the privacy of ML. To date, although there have been extensive efforts to defend against MIAs, we still lack a comprehensive understanding of the progress made in this area, which can often impede our ability to design the most effective defense strategies. In this paper, we aim to fill this critical knowledge gap by providing a systematic analysis of membership inference defense.Specifically, we classify and summarize the existing membership inference defense schemes, focusing on optimization phase and objective, basic intuition, and key technology, and discuss possible research directions of membership inference defense in the future.

computer science, theory & methods

Zheng Li,Yang Zhang

DOI: https://doi.org/10.1051/sands/2024017

2024-01-01

Security and Safety

Abstract:Machine learning (ML) has made significant strides in various tasks, largely due to the availability of large-scale datasets. However, these datasets often contain sensitive information, posing serious privacy risks. Membership inference attacks (MIAs) exploit these risks by determining whether a specific data sample was used to train an ML model, potentially leading to significant data leaks. This paper reviews the current state of MIAs, examining their principles, threat models, and methodologies. Additionally, this paper discusses the limitations and challenges in existing research and proposes future directions to improve the robustness and privacy of ML models.

Hongsheng Hu,Zoran Salcic,Lichao Sun,Gillian Dobbie,Philip S. Yu,Xuyun Zhang

DOI: https://doi.org/10.1145/3523273

IF: 16.6

2022-03-23

ACM Computing Surveys

Abstract:Machine learning (ML) models have been widely applied to various applications, including image classification, text generation, audio recognition, and graph data analysis. However, recent studies have shown that ML models are vulnerable to membership inference attacks (MIAs), which aim to infer whether a data record was used to train a target model or not. MIAs on ML models can directly lead to a privacy breach. For example, via identifying the fact that a clinical record that has been used to train a model associated with a certain disease, an attacker can infer that the owner of the clinical record has the disease with a high chance. In recent years, MIAs have been shown to be effective on various ML models, e.g., classification models and generative models. Meanwhile, many defense methods have been proposed to mitigate MIAs. Although MIAs on ML models form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this paper, we conduct the first comprehensive survey on membership inference attacks and defenses. We provide the taxonomies for both attacks and defenses, based on their characterizations, and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain. To further help the researchers, we have created an online resource repository, which we will keep updated with future relevant work. Interested readers can find the repository at https://github.com/HongshengHu/membership-inference-machine-learning-literature.

computer science, theory & methods

Shuhao Li,Yajie Wang,Yuanzhang Li,Yu-an Tan

DOI: https://doi.org/10.48550/arXiv.2205.06469

2022-05-13

Abstract:Machine Learning (ML) has made unprecedented progress in the past several decades. However, due to the memorability of the training data, ML is susceptible to various attacks, especially Membership Inference Attacks (MIAs), the objective of which is to infer the model's training data. So far, most of the membership inference attacks against ML classifiers leverage the shadow model with the same structure as the target model. However, empirical results show that these attacks can be easily mitigated if the shadow model is not clear about the network structure of the target model. In this paper, We present attacks based on black-box access to the target model. We name our attack \textbf{l-Leaks}. The l-Leaks follows the intuition that if an established shadow model is similar enough to the target model, then the adversary can leverage the shadow model's information to predict a target sample's <a class="link-external link-http" href="http://membership.The" rel="external noopener nofollow">this http URL</a> logits of the trained target model contain valuable sample knowledge. We build the shadow model by learning the logits of the target model and making the shadow model more similar to the target model. Then shadow model will have sufficient confidence in the member samples of the target model. We also discuss the effect of the shadow model's different network structures to attack results. Experiments over different networks and datasets demonstrate that both of our attacks achieve strong performance.

Machine Learning,Artificial Intelligence,Cryptography and Security

Zitao Chen,Karthik Pattabiraman

2024-07-02

Abstract:Modern machine learning (ML) ecosystems offer a surging number of ML frameworks and code repositories that can greatly facilitate the development of ML models. Today, even ordinary data holders who are not ML experts can apply off-the-shelf codebase to build high-performance ML models on their data, many of which are sensitive in nature (e.g., clinical records). In this work, we consider a malicious ML provider who supplies model-training code to the data holders, does not have access to the training process, and has only black-box query access to the resulting model. In this setting, we demonstrate a new form of membership inference attack that is strictly more powerful than prior art. Our attack empowers the adversary to reliably de-identify all the training samples (average >99% attack TPR@0.1% FPR), and the compromised models still maintain competitive performance as their uncorrupted counterparts (average <1% accuracy drop). Moreover, we show that the poisoned models can effectively disguise the amplified membership leakage under common membership privacy auditing, which can only be revealed by a set of secret samples known by the adversary. Overall, our study not only points to the worst-case membership privacy leakage, but also unveils a common pitfall underlying existing privacy auditing methods, which calls for future efforts to rethink the current practice of auditing membership privacy in machine learning models.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition

Liwei Song,Reza Shokri,Prateek Mittal

DOI: https://doi.org/10.1145/3319535.3354211

2019-11-06

Abstract:The arms race between attacks and defenses for machine learning models has come to a forefront in recent years, in both the security community and the privacy community. However, one big limitation of previous research is that the security domain and the privacy domain have typically been considered separately. It is thus unclear whether the defense methods in one domain will have any unexpected impact on the other domain. In this paper, we take a step towards resolving this limitation by combining the two domains. In particular, we measure the success of membership inference attacks against six state-of-the-art defense methods that mitigate the risk of adversarial examples (i.e., evasion attacks). Membership inference attacks determine whether or not an individual data record has been part of a model&#x27;s training set. The accuracy of such attacks reflects the information leakage of training algorithms about individual members of the training set. Adversarial defense methods against adversarial examples influence the model&#x27;s decision boundaries such that model predictions remain unchanged for a small area around each input. However, this objective is optimized on training data. Thus, individual data records in the training set have a significant influence on robust models. This makes the models more vulnerable to inference attacks. To perform the membership inference attacks, we leverage the existing inference methods that exploit model predictions. We also propose two new inference methods that exploit structural properties of robust models on adversarially perturbed data. Our experimental evaluation demonstrates that compared with the natural training (undefended) approach, adversarial defense methods can indeed increase the target model&#x27;s risk against membership inference attacks. When using adversarial defenses to train the robust models, the membership inference advantage increases by up to 4.5 times compared to the naturally undefended models. Beyond revealing the privacy risks of adversarial defenses, we further investigate the factors, such as model capacity, that influence the membership information leakage.

NIU Jun,MA Xiaoji,CHEN Ying,ZHANG Ge,HE Zhipeng,HOU Zhexian,ZHU Xiaoyan,WU Gaofei,CHEN Kai,ZHANG Yuqing

DOI: https://doi.org/10.19363/J.cnki.cn10-1380/tn.2022.11.01

2022-01-01

Journal of Cyber Security

Abstract:The newly emerged machine learning（ML） methods have been widely applied to various applications, and have become a strong driving force to revolutionize a wide range of industries, which have greatly promoted the prosperity and development of artificial intelligence. Meanwhile, the training and inference of the machine learning model are based on a large amount of data, which always contains some private information. And the privacy and security of the ML has faced serious challenges. Membership inference attacks（MIAs） mainly aim to infer whether a data record was used to train a target model or not. MIAs have not only been shown to be effective on various ML models（e.g., classification models and generative models）, but also have been penetrated into the fields of image classification, speech recognition, natural language processing, computer vision and so on, which creates a great security threat to the long-term development of machine learning.Therefore, in order to better improve the security of ML models for membership inference attacks, in this paper, we systematically introduce and analyze the basic principles and characteristics of the MIAs and their defenses from a ML attack-defense perspective. Firstly, we introduce the definitions and threat models of the MIAs, and classify these MIAs from six different perspectives such as attacks’ principles, scenarios, background knowledge, target models, fields and the size of attack datasets, and we compare their advantages and disadvantages. Secondly, we summary the reasons caused the MIAs from three aspects, namely diversity of training data, types of target models and overfitting of target models. Thirdly, we survey defensive techniques for MIAs as well as their characteristics by differential privacy, regularization, data argumentation,model stacking, early stopping, confidence score masking and knowledge distillation. Futhermore, we institute the evaluation metrics and datasets used in MIAs, and the other applications of the MIAs. Finally, by comparing and analyzing the existing MIAs and their defenses, we discuss the challenges and future research directions.

Gaoyang Liu,Tianlong Xu,Rui Zhang,Zixiong Wang,Chen Wang,Ling Liu

DOI: https://doi.org/10.1109/tifs.2023.3324772

IF: 7.231

2023-11-25

IEEE Transactions on Information Forensics and Security

Abstract:Machine Learning (ML) techniques have been applied to many real-world applications to perform a wide range of tasks. In practice, ML models are typically deployed as the black-box APIs to protect the model owner's benefits and/or defend against various privacy attacks. In this paper, we present Gradient-Leaks as the first evidence showcasing the possibility of performing membership inference attacks (MIAs), with mere black-box access, which aim to determine whether a data record was utilized to train a given target ML model or not. The key idea of Gradient-Leaks is to construct a local ML model around the given record which locally approximates the target model's prediction behavior. By extracting the membership information of the given record from the gradient of the substituted local model using an intentionally modified autoencoder, Gradient-Leaks can thus breach the membership privacy of the target model's training data in an unsupervised manner, without any priori knowledge about the target model's internals or its training data. Extensive experiments on different types of ML models with real-world datasets have shown that Gradient-Leaks can achieve a better performance compared with state-of-the-art attacks.

computer science, theory & methods,engineering, electrical & electronic

K. Karthikeyan,K. Padmanaban,Datchanamoorthy Kavitha,Jampani Chandra Sekhar

DOI: https://doi.org/10.1504/ijsnet.2023.135848

2024-01-10

International Journal of Sensor Networks

Abstract:In order to function correctly during the training phase, many ML models require enormous amounts of labelled data. There is a possibility that the data will contain private information, which must be protected regarding privacy. Membership inference attacks (MIA) are attacks that try to identify if a target data point was utilised for training a particular ML method. These attacks have the potential to compromise users' privacy and security. The degree to which an algorithm for ML divulges user membership information varies from implementation to implementation. Hence, a performance analysis was performed based on different ML algorithms under MIA inference attacks. This study proposed for comparing different ML approaches against MIAs and analyses which ML algorithm is better performing to such privacy attacks. Based on the performance analysis observation, the GAN and DNN models are considered as the best ML models to defend against MIA attacks with better performances.

computer science, information systems,telecommunications

Jiacheng Li,Ninghui Li,Bruno Ribeiro

2024-05-29

Abstract:In Member Inference (MI) attacks, the adversary try to determine whether an instance is used to train a machine learning (ML) model. MI attacks are a major privacy concern when using private data to train ML models. Most MI attacks in the literature take advantage of the fact that ML models are trained to fit the training data well, and thus have very low loss on training instances. Most defenses against MI attacks therefore try to make the model fit the training data less well. Doing so, however, generally results in lower accuracy. We observe that training instances have different degrees of vulnerability to MI attacks. Most instances will have low loss even when not included in training. For these instances, the model can fit them well without concerns of MI attacks. An effective defense only needs to (possibly implicitly) identify instances that are vulnerable to MI attacks and avoids overfitting them. A major challenge is how to achieve such an effect in an efficient training process. Leveraging two distinct recent advancements in representation learning: counterfactually-invariant representations and subspace learning methods, we introduce a novel Membership-Invariant Subspace Training (MIST) method to defend against MI attacks. MIST avoids overfitting the vulnerable instances without significant impact on other instances. We have conducted extensive experimental studies, comparing MIST with various other state-of-the-art (SOTA) MI defenses against several SOTA MI attacks. We find that MIST outperforms other defenses while resulting in minimal reduction in testing accuracy.

Cryptography and Security,Machine Learning

Nicholas Carlini,Steve Chien,Milad Nasr,Shuang Song,Andreas Terzis,Florian Tramer

DOI: https://doi.org/10.1109/SP46214.2022.9833649

2022-01-01

Abstract: A membership inference attack allows an adversary to query a trained machine learning model to predict whether or not a particular example was contained in the model's training dataset. These attacks are currently evaluated using average-case "accuracy" metrics that fail to characterize whether the attack can confidently identify any members of the training set. We argue that attacks should instead be evaluated by computing their true-positive rate at low (e.g., <0.1%) false-positive rates, and find most prior attacks perform poorly when evaluated in this way. To address this we develop a Likelihood Ratio Attack (LiRA) that carefully combines multiple ideas from the literature. Our attack is 10x more powerful at low false-positive rates, and also strictly dominates prior attacks on existing metrics.

Lakshmi Prasanna Pedarla,Xinyue Zhang,Liang Zhao,Hafiz Khan

DOI: https://doi.org/10.1145/3564746.3587027

2023-01-01

Abstract:In recent years, machine learning (ML) has achieved huge success in healthcare and medicine areas. However, recent work has demonstrated that ML is vulnerable to privacy leakage since it exhibits to overfit the training datasets. Especially, in healthcare and medical communities, there are concerns that medical images and electronic health records containing protected health information (PHI) are vulnerable to inference attacks. These PHI might be unwittingly leaked when the aforementioned data is used for training ML models to address necessary healthcare concerns. Given access to the trained ML model, the attacker is able to adopt membership inference attacks (MIA) to determine whether a specific data sample is used in the corresponding medical training dataset. In this paper, we concentrate on MIA and propose a new method to determine whether a sample was used to train the given ML model or not. Our method is based on the observation that a trained machine learning model usually is lesser sensitive to the feature value perturbations on its training samples compared with the non-training samples. The key idea of our method is to perturb a training sample's feature value in the corresponding feature space and then compute the relationship between each feature's perturbation and the corresponding prediction's change as features to train the attack model. We used publicly available medical datasets such as diabetes and heartbeat categorization data to evaluate our method. Our evaluation shows that the proposed attack can perform better than the existing membership inference attack method.

Eric Aubinais,Elisabeth Gassiat,Pablo Piantanida

2024-06-11

Abstract:Membership inference attacks (MIA) can reveal whether a particular data point was part of the training dataset, potentially exposing sensitive information about individuals. This article provides theoretical guarantees by exploring the fundamental statistical limitations associated with MIAs on machine learning models. More precisely, we first derive the statistical quantity that governs the effectiveness and success of such attacks. We then theoretically prove that in a non-linear regression setting with overfitting algorithms, attacks may have a high probability of success. Finally, we investigate several situations for which we provide bounds on this quantity of interest. Interestingly, our findings indicate that discretizing the data might enhance the algorithm's security. Specifically, it is demonstrated to be limited by a constant, which quantifies the diversity of the underlying data distribution. We illustrate those results through two simple simulations.

Machine Learning,Artificial Intelligence

Zheng Zhang,Jianfeng Ma,Xindi Ma,Ruikang Yang,Xiangyu Wang,Junying Zhang

DOI: https://doi.org/10.1016/j.ins.2024.120636

IF: 8.1

2024-04-19

Information Sciences

Abstract:Large-capacity machine learning models are vulnerable to membership inference attacks that disclose the privacy of the training dataset. The privacy concerns posed by membership inference attacks have inspired many defense strategies.Unfortunately, they have various limitations: 1) failing to achieve a high-quality tradeoff between membership privacy and model utility. 2) Providing little flexibility to users. This paper proposes Repair-Membership Learning(RM Learning), a simple but effective defense mechanism. RM Learning mitigates membership inference attacks by giving each sample of the training dataset an appropriate soft label to reduce the loss gap between the training and testing datasets of the model. Meanwhile, RM Learning controls the distinguishability between the training and testing datasets by limiting the model's loss gap over them with an adjustable parameter λ to give users flexibility. We evaluated the RM Learning algorithm on four datasets with seven models and compared it with three state-of-the-art methods. For instance, we reduce the effectiveness of black-box and white-box membership inference attacks to about 50.0%, with a loss of less than 1.3% of testing accuracy, for the CIFAR10 dataset with the ResNet18 model.

computer science, information systems

Jiacheng Li,Ninghui Li,Bruno Ribeiro

DOI: https://doi.org/10.1145/3422337.3447836

2021-02-03

Abstract:We study the membership inference (MI) attack against classifiers, where the attacker's goal is to determine whether a data instance was used for training the classifier. Through systematic cataloging of existing MI attacks and extensive experimental evaluations of them, we find that a model's vulnerability to MI attacks is tightly related to the generalization gap -- the difference between training accuracy and test accuracy. We then propose a defense against MI attacks that aims to close the gap by intentionally reduces the training accuracy. More specifically, the training process attempts to match the training and validation accuracies, by means of a new {\em set regularizer} using the Maximum Mean Discrepancy between the softmax output empirical distributions of the training and validation sets. Our experimental results show that combining this approach with another simple defense (mix-up training) significantly improves state-of-the-art defense against MI attacks, with minimal impact on testing accuracy.

Cryptography and Security,Machine Learning

Benjamin Zi Hao Zhao,Aviral Agrawal,Catisha Coburn,Hassan Jameel Asghar,Raghav Bhaskar,Mohamed Ali Kaafar,Darren Webb,Peter Dickinson

DOI: https://doi.org/10.48550/arXiv.2103.07101

2021-03-12

Abstract:With an increase in low-cost machine learning APIs, advanced machine learning models may be trained on private datasets and monetized by providing them as a service. However, privacy researchers have demonstrated that these models may leak information about records in the training dataset via membership inference attacks. In this paper, we take a closer look at another inference attack reported in literature, called attribute inference, whereby an attacker tries to infer missing attributes of a partially known record used in the training dataset by accessing the machine learning model as an API. We show that even if a classification model succumbs to membership inference attacks, it is unlikely to be susceptible to attribute inference attacks. We demonstrate that this is because membership inference attacks fail to distinguish a member from a nearby non-member. We call the ability of an attacker to distinguish the two (similar) vectors as strong membership inference. We show that membership inference attacks cannot infer membership in this strong setting, and hence inferring attributes is infeasible. However, under a relaxed notion of attribute inference, called approximate attribute inference, we show that it is possible to infer attributes close to the true attributes. We verify our results on three publicly available datasets, five membership, and three attribute inference attacks reported in literature.

Machine Learning,Cryptography and Security

Hongyang Yan,Shuhao Li,Yajie Wang,Yaoyuan Zhang,Kashif Sharif,Haibo Hu,Yuanzhang Li

DOI: https://doi.org/10.1109/tdsc.2022.3222880

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deep Learning(DL) techniques have gained significant importance in the recent past due to their vast applications. However, DL is still prone to several attacks, such as the Membership Inference Attack (MIA), based on the memorability of training data. MIA aims at determining the presence of specific data in the training dataset of the model with substitute model of similar structure to the objective model. As MIA relies on the substitute model, they can be mitigated if the substitute model is not clear about the network structure of the objective model. To solve the challenge of shadow-model construction, this work presents L-Leaks, a member inference attack based on Logits. L-Leaks allow an adversary to use the substitute model's information to predict the presence of membership if the shadow and objective model are similar enough. Here, the substitute model is built by learning the logits of the objective model, hence making it similar enough. This results in the substitute model having sufficient confidence in the member samples of the objective model. The evaluation of the attack's success shows that the proposed technique can execute the attack more accurately than existing techniques. It also shows that the proposed MIA is significantly robust under different network models and datasets.

Hongsheng Hu,Zoran Salcic,Gillian Dobbie,Jinjun Chen,Lichao Sun,Xuyun Zhang

DOI: https://doi.org/10.48550/arXiv.2206.04823

2022-06-10

Cryptography and Security

Abstract:Recently issued data privacy regulations like GDPR (General Data Protection Regulation) grant individuals the right to be forgotten. In the context of machine learning, this requires a model to forget about a training data sample if requested by the data owner (i.e., machine unlearning). As an essential step prior to machine unlearning, it is still a challenge for a data owner to tell whether or not her data have been used by an unauthorized party to train a machine learning model. Membership inference is a recently emerging technique to identify whether a data sample was used to train a target model, and seems to be a promising solution to this challenge. However, straightforward adoption of existing membership inference approaches fails to address the challenge effectively due to being originally designed for attacking membership privacy and suffering from several severe limitations such as low inference accuracy on well-generalized models. In this paper, we propose a novel membership inference approach inspired by the backdoor technology to address the said challenge. Specifically, our approach of Membership Inference via Backdooring (MIB) leverages the key observation that a backdoored model behaves very differently from a clean model when predicting on deliberately marked samples created by a data owner. Appealingly, MIB requires data owners' marking a small number of samples for membership inference and only black-box access to the target model, with theoretical guarantees for inference results. We perform extensive experiments on various datasets and deep neural network architectures, and the results validate the efficacy of our approach, e.g., marking only 0.1% of the training dataset is practically sufficient for effective membership inference.

Xiaoxiao Chi,Xuyun Zhang,Yan Wang,Lianyong Qi,Amin Beheshti,Xiaolong Xu,Kim-Kwang Raymond Choo,Shuo Wang,Hongsheng Hu

DOI: https://doi.org/10.48550/arXiv.2405.07018

2024-05-11

Abstract:Recommender systems have been successfully applied in many applications. Nonetheless, recent studies demonstrate that recommender systems are vulnerable to membership inference attacks (MIAs), leading to the leakage of users' membership privacy. However, existing MIAs relying on shadow training suffer a large performance drop when the attacker lacks knowledge of the training data distribution and the model architecture of the target recommender system. To better understand the privacy risks of recommender systems, we propose shadow-free MIAs that directly leverage a user's recommendations for membership inference. Without shadow training, the proposed attack can conduct MIAs efficiently and effectively under a practice scenario where the attacker is given only black-box access to the target recommender system. The proposed attack leverages an intuition that the recommender system personalizes a user's recommendations if his historical interactions are used by it. Thus, an attacker can infer membership privacy by determining whether the recommendations are more similar to the interactions or the general popular items. We conduct extensive experiments on benchmark datasets across various recommender systems. Remarkably, our attack achieves far better attack accuracy with low false positive rates than baselines while with a much lower computational cost.

Cryptography and Security