User-Level Membership Inference Attack against Metric Embedding Learning

Li, Guoyao; Rezaei, Shahbaz; Liu, Xin

doi:10.48550/arxiv.2203.02077

Cited by 2 publications

(4 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Membership inference attacks (MI) can reveal if specific data samples were present in a model's training dataset [63]. Using MI to audit training data has been considered in images, speech, machine translation, and metric-embedding domains [27,39,47,67]. Unfortunately, MI remains unreliable for many (non-outlier) data samples, and generally requires significant data and compute to train multiple shadow models to approximate the behavior of F [63].…”

Section: User Data-level Modificationsmentioning

confidence: 99%

Data Isotopes for Data Provenance in DNNs

Wenger,

Li,

Zhao

et al. 2024

PoPETs

View full text Add to dashboard Cite

Today, creators of data-hungry deep neural networks (DNNs) scour the Internet for training fodder, leaving users with little control over or knowledge of when their data, and in particular their images, are used to train models. To empower users to counteract unwanted use of their images, we design, implement and evaluate a practical system that enables users to detect if their data was used to train a DNN model for image classification. We show how users can create special images we call isotopes, which introduce ``spurious features'' into DNNs during training. With only query access to a model and no knowledge of the model-training process, nor control of the data labels, a user can apply statistical hypothesis testing to detect if the model learned these spurious features by training on the user's images. Isotopes can be viewed as an application of a particular type of data poisoning. In contrast to backdoors and other poisoning attacks, our purpose is not to cause misclassification but rather to create tell-tale changes in confidence scores output by the model that reveal the presence of isotopes in the training data. Isotopes thus turn DNNs' vulnerability to memorization and spurious correlations into a tool for data provenance. Our results confirm efficacy in multiple image classification settings, detecting and distinguishing between hundreds of isotopes with high accuracy. We further show that our system works on public ML-as-a-service platforms and larger models such as ImageNet, can use physical objects in images instead of digital marks, and remains robust against several adaptive countermeasures.

show abstract

Section: User Data-level Modificationsmentioning

confidence: 99%

Data Isotopes for Data Provenance in DNNs

Wenger,

Li,

Zhao

et al. 2024

PoPETs

View full text Add to dashboard Cite

show abstract

“…However, our paper makes a thorough inquiry on the distribution gap of similarities. Li, Rezaei, and Liu (2022) propose a user-level MI attack in metric embedding learning. This approach is based on an assumption that data from the same category forms a more compact cluster in the training set than the test set, and uses the average and pair-wise intra-class distance as features to conduct user-level membership inference.…”

Section: Related Workmentioning

confidence: 99%

“…low number of samples causes low attack success rate). While Li, Rezaei, and Liu (2022) only focuses on average and pair-wise distance on intra-class samples, our method proposes to look at more general similarity distribution over all sample pairs (both intra-and inter-class similarity). Furthermore, our method does not require multiple samples for each identity.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Similarity Distribution Based Membership Inference Attack on Person Re-identification

Gao

Jiang

Zhang

et al. 2023

AAAI

View full text Add to dashboard Cite

While person Re-identification (Re-ID) has progressed rapidly due to its wide real-world applications, it also causes severe risks of leaking personal information from training data. Thus, this paper focuses on quantifying this risk by membership inference (MI) attack. Most of the existing MI attack algorithms focus on classification models, while Re-ID follows a totally different training and inference paradigm. Re-ID is a fine-grained recognition task with complex feature embedding, and model outputs commonly used by existing MI like logits and losses are not accessible during inference. Since Re-ID focuses on modelling the relative relationship between image pairs instead of individual semantics, we conduct a formal and empirical analysis which validates that the distribution shift of the inter-sample similarity between training and test set is a critical criterion for Re-ID membership inference. As a result, we propose a novel membership inference attack method based on the inter-sample similarity distribution. Specifically, a set of anchor images are sampled to represent the similarity distribution conditioned on a target image, and a neural network with a novel anchor selection module is proposed to predict the membership of the target image. Our experiments validate the effectiveness of the proposed approach on both the Re-ID task and conventional classification task.

show abstract

User-Level Membership Inference Attack against Metric Embedding Learning

Cited by 2 publications

References 8 publications

Data Isotopes for Data Provenance in DNNs

Data Isotopes for Data Provenance in DNNs

Similarity Distribution Based Membership Inference Attack on Person Re-identification

Contact Info

Product

Resources

About