Membership Inference Attacks on Machine Learning: A Survey

Hu, Hongsheng; Salčić, Zoran; Dobbie, Gillian; Zhang, Xuyun

doi:10.1145/3523273

Cited by 160 publications

(84 citation statements)

References 78 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nasr et al [39] instantiated the hypothetical adversary to analyse the differential private ML especially DP-SGD. There are also some schemes [33][34][35][36][37] that set the goal of protection as a generative model. Hayes et al [33] first applied the membership inference attack on the generative model and utilized differential privacy during the training stage to protect the generative model.…”

Section: Differential Privacymentioning

confidence: 99%

Privacy‐preserving generative framework for images against membership inference attacks

Yang

Miao

et al. 2022

IET Communications

View full text Add to dashboard Cite

Machine learning has become an integral part of modern intelligent systems in all aspects of life. Membership inference attacks (MIAs), as the significant model attacks, also jeopardize the privacy of the intelligent systems. Previous works on defending MIAs concentrate on the model output perturbation or tampering with the training process. However, data and model reuse are common in intelligent systems, which results in the lack of scalability of previous defending works. This paper proposes a new privacy-preserving framework for images to transform source data into synthetic data to train models against MIAs. The synthetic data makes it easy to defend MIAs during data and model reuse to improve the scheme's scalability. The framework generates synthetic data satisfying differential privacy through the variational autoencoder model's information extraction and data generation capabilities to improve model accuracy. A noise addition mechanism with metric privacy for the latent code generated from source data is proposed, where noise is the product of Γ-distribution and unit hyper-sphere samples. Moreover, it is proved that the synthetic data also satisfies metric privacy. The experimental evaluations demonstrate that the framework reduces MIAs' attack accuracy to about 0.5 and maintains higher utility than DP-SGD under the same setting.

show abstract

Section: Differential Privacymentioning

confidence: 99%

Privacy‐preserving generative framework for images against membership inference attacks

Yang

Miao

et al. 2022

IET Communications

View full text Add to dashboard Cite

show abstract

“…We focus only on related works that are directly related to our contributions. See Hu et al [15] for a comprehensive survey of MIAs.…”

Section: Other Related Workmentioning

confidence: 99%

Knowledge Cross-Distillation for Membership Privacy

Chourasia

Enkhtaivan²,

Ito³

et al. 2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

A membership inference attack (MIA) poses privacy risks for the training data of a machine learning model. With an MIA, an attacker guesses if the target data are a member of the training dataset. The state-of-the-art defense against MIAs, distillation for membership privacy (DMP), requires not only private data for protection but a large amount of unlabeled public data. However, in certain privacy-sensitive domains, such as medicine and finance, the availability of public data is not guaranteed. Moreover, a trivial method for generating public data by using generative adversarial networks significantly decreases the model accuracy, as reported by the authors of DMP. To overcome this problem, we propose a novel defense against MIAs that uses knowledge distillation without requiring public data. Our experiments show that the privacy protection and accuracy of our defense are comparable to those of DMP for the benchmark tabular datasets used in MIA research, Purchase100 and Texas100, and our defense has a much better privacy-utility trade-off than those of the existing defenses that also do not use public data for the image dataset CIFAR10.

show abstract

“…We now present related work pertinent to MIAShield. We refer the reader to [10] for a comprehensive survey.…”

Section: Related Workmentioning

confidence: 99%

“…This difference is exploited by an adversary as a strong signal to learn a member/nonmember decision function (attack model) or some threshold to flag members. Based on the information they leverage, MIAs can either be probability-dependent attacks (use confidence scores predicted for each class) or label-dependent attacks (use just the predicted label) [10].…”

Section: Introductionmentioning

confidence: 99%

MIAShield: Defending Membership Inference Attacks via Preemptive Exclusion of Members

Jarin¹,

Eshete²

2022

Preprint

View full text Add to dashboard Cite

In membership inference attacks (MIAs), an adversary observes the predictions of a model to determine whether a sample is part of the model's training data. Existing MIA defenses conceal the presence of a target sample through strong regularization, knowledge distillation, confidence masking, or differential privacy.We propose MIAShield, a new MIA defense based on preemptive exclusion of member samples instead of masking the presence of a member. The key insight in MIAShield is weakening the strong membership signal that stems from the presence of a target sample by preemptively excluding it at prediction time without compromising model utility. To that end, we design and evaluate a suite of preemptive exclusion oracles leveraging model-confidence, exact/approximate sample signature, and learning-based exclusion of member data points. To be practical, MIAShield splits a training data into disjoint subsets and trains each subset to build an ensemble of models. The disjointedness of subsets ensures that a target sample belongs to only one subset, which isolates the sample to facilitate the preemptive exclusion goal.We evaluate MIAShield on three benchmark image classification datasets. We show that MIAShield effectively mitigates membership inference (near random guess) for a wide range of MIAs; achieves far better privacy-utility trade-off compared with state-of-the-art defenses, and remains resilient against an adaptive adversary.

show abstract

Membership Inference Attacks on Machine Learning: A Survey

Cited by 160 publications

References 78 publications

Privacy‐preserving generative framework for images against membership inference attacks

Privacy‐preserving generative framework for images against membership inference attacks

Knowledge Cross-Distillation for Membership Privacy

MIAShield: Defending Membership Inference Attacks via Preemptive Exclusion of Members

Contact Info

Product

Resources

About