• Corpus ID: 220831381

Label-Only Membership Inference Attacks

@inproceedings{ChoquetteChoo2021LabelOnlyMI,
  title={Label-Only Membership Inference Attacks},
  author={Christopher A. Choquette-Choo and Florian Tram{\`e}r and Nicholas Carlini and Nicolas Papernot},
  booktitle={ICML},
  year={2021}
}
Membership inference attacks are one of the simplest forms of privacy leakage for machine learning models: given a data point and model, determine whether the point was used to train the model. Existing membership inference attacks exploit models' abnormal confidence when queried on their training data. These attacks do not apply if the adversary only gets access to models' predicted labels, without a confidence measure. In this paper, we introduce label-only membership inference attacks… 
Label-Leaks: Membership Inference Attack with Label
TLDR
A systematic investigation of membership inference attack when the target model only provides the predicted label, which focuses on two adversarial settings and proposes different attacks, namely transfer-based attack and perturbation based attack.
Membership Leakage in Label-Only Exposures
TLDR
This paper proposes decision-based membership inference attacks and develops two types of attacks, namely transfer attack and boundary attack, which can achieve remarkable performance and outperform the previous score-based attacks in some cases.
Enhanced Membership Inference Attacks against Machine Learning Models
TLDR
This paper explains the implicit assumptions and also the simplifications made in prior work using the framework of hypothesis testing, and derives new attack algorithms from the framework that can achieve a high AUC score while also highlighting the different factors that affect their performance.
Membership Inference Attacks on Machine Learning: A Survey
TLDR
This paper provides the taxonomies for both attacks and defenses, based on their characterizations, and discusses their pros and cons, and point out several promising future research directions to inspire the researchers who wish to follow this area.
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture
TLDR
This work proposes a new framework to train privacypreserving models that induces similar behavior on member and non-member inputs to mitigate membership inference attacks and shows that SELENA presents a superior trade-off between membership privacy and utility compared to the state of the art.
Do Not Trust Prediction Scores for Membership Inference Attacks
TLDR
It is argued that many modern deep network architectures, e.g., ReLU type neural networks produce almost always high prediction scores far away from the training data, and this behavior leads to high false-positive rates not only on known domains but also on out-of-distribution data and implicitly acts as a defense against MIAs.
Generalization Techniques Empirically Outperform Differential Privacy against Membership Inference
TLDR
The performance of state-of-the-art techniques, such as pre-training and sharpnessaware minimization, alone and with differentially private training algorithms, are evaluated and it is found that, when using early stopping, the algorithms without differential privacy can provide both higher utility and higher privacy than their differentiallyPrivate counterparts.
Knowledge Cross-Distillation for Membership Privacy
TLDR
This work proposes a novel defense against MIAs that uses knowledge distillation without requiring public data, and has a much better privacy-utility trade-off than those of the existing defenses that also do not use public data for the image dataset CIFAR10.
MACE: A Flexible Framework for Membership Privacy Estimation in Generative Models
TLDR
This work formulate membership privacy as a statistical divergence between training samples and hold-out samples, and proposes sample-based methods to estimate this divergence, and forms a generalizable metric and estimators that make realistic and flexible assumptions.
Property Inference From Poisoning
TLDR
The findings suggest that poisoning attacks can boost the information leakage significantly and should be considered as a stronger threat model in sensitive applications where some of the data sources may be malicious.
...
...

References

SHOWING 1-10 OF 75 REFERENCES
Membership Inference Attacks Against Machine Learning Models
TLDR
This work quantitatively investigates how machine learning models leak information about the individual data records on which they were trained and empirically evaluates the inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon.
MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples
TLDR
This work proposes MemGuard, the first defense with formal utility-loss guarantees against black-box membership inference attacks and is the first one to show that adversarial examples can be used as defensive mechanisms to defend against membership inference attack.
Towards Demystifying Membership Inference Attacks
TLDR
This paper provides a generalized formulation of the development of a black-box membership inference attack model, and characterize the importance of model choice on model vulnerability through a systematic evaluation of a variety of machine learning models and model combinations using multiple datasets.
Machine Learning with Membership Privacy using Adversarial Regularization
TLDR
It is shown that the min-max strategy can mitigate the risks of membership inference attacks (near random guess), and can achieve this with a negligible drop in the model's prediction accuracy (less than 4%).
Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting
TLDR
The effect that overfitting and influence have on the ability of an attacker to learn information about the training data from machine learning models, either through training set membership inference or attribute inference attacks is examined.
Privacy Risks of Securing Machine Learning Models against Adversarial Examples
TLDR
This paper measures the success of membership inference attacks against six state-of-the-art defense methods that mitigate the risk of adversarial examples, and proposes two new inference methods that exploit structural properties of robust models on adversarially perturbed data.
Defending Model Inversion and Membership Inference Attacks via Prediction Purification
TLDR
It is shown that when the purifier is dedicated to one attack, it naturally defends the other one, which empirically demonstrates the connection between the two attacks.
Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference
TLDR
This work shows how a model's idiosyncratic use of features can provide evidence for membership to white-box attackers---even when the model's black-box behavior appears to generalize well---and demonstrates that this attack outperforms prior black- box methods.
ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models
TLDR
This most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains and proposes the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.
Understanding Membership Inferences on Well-Generalized Learning Models
TLDR
It is demonstrated that even a well-generalized model contains vulnerable instances subject to a new generalized MIA (GMIA), and novel techniques for selecting vulnerable instances and detecting their subtle influences ignored by overfitting metrics are used.
...
...