Label-Only Membership Inference Attacks

• URL: http://arxiv.org/abs/2007.14321v3
• Date: Sun, 5 Dec 2021 22:45:19 GMT
• Title: Label-Only Membership Inference Attacks
• Authors: Christopher A. Choquette-Choo, Florian Tramer, Nicholas Carlini, and Nicolas Papernot
• Abstract summary: We introduce label-only membership inference attacks. Our attacks evaluate the robustness of a model's predicted labels under perturbations. We find that training models with differential privacy and (strong) L2 regularization are the only known defense strategies.
• Score: 67.46072950620247
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Membership inference attacks are one of the simplest forms of privacy leakage for machine learning models: given a data point and model, determine whether the point was used to train the model. Existing membership inference attacks exploit models' abnormal confidence when queried on their training data. These attacks do not apply if the adversary only gets access to models' predicted labels, without a confidence measure. In this paper, we introduce label-only membership inference attacks. Instead of relying on confidence scores, our attacks evaluate the robustness of a model's predicted labels under perturbations to obtain a fine-grained membership signal. These perturbations include common data augmentations or adversarial examples. We empirically show that our label-only membership inference attacks perform on par with prior attacks that required access to model confidences. We further demonstrate that label-only attacks break multiple defenses against membership inference attacks that (implicitly or explicitly) rely on a phenomenon we call confidence masking. These defenses modify a model's confidence scores in order to thwart attacks, but leave the model's predicted labels unchanged. Our label-only attacks demonstrate that confidence-masking is not a viable defense strategy against membership inference. Finally, we investigate worst-case label-only attacks, that infer membership for a small number of outlier data points. We show that label-only attacks also match confidence-based attacks in this setting. We find that training models with differential privacy and (strong) L2 regularization are the only known defense strategies that successfully prevents all attacks. This remains true even when the differential privacy budget is too high to offer meaningful provable guarantees.

Related papers

• Robust Federated Learning Mitigates Client-side Training Data Distribution Inference Attacks [48.70867241987739]
  InferGuard is a novel Byzantine-robust aggregation rule aimed at defending against client-side training data distribution inference attacks. The results of our experiments indicate that our defense mechanism is highly effective in protecting against client-side training data distribution inference attacks.
  arXiv  Detail & Related papers  (2024-03-05T17:41:35Z)
• Can We Trust the Unlabeled Target Data? Towards Backdoor Attack and Defense on Model Adaptation [120.42853706967188]
  We explore the potential backdoor attacks on model adaptation launched by well-designed poisoning target data. We propose a plug-and-play method named MixAdapt, combining it with existing adaptation algorithms.
  arXiv  Detail & Related papers  (2024-01-11T16:42:10Z)
• Confidence Is All You Need for MI Attacks [7.743155804758186]
  We propose a new method to gauge a data point's membership in a model's training set. During training, the model is essentially being 'fit' to the training data and might face particular difficulties in generalization to unseen data.
  arXiv  Detail & Related papers  (2023-11-26T18:09:24Z)
• Chameleon: Increasing Label-Only Membership Leakage with Adaptive Poisoning [8.084254242380057]
  Membership Inference (MI) attacks seek to determine whether a particular data sample was included in a model's training dataset. We show that existing label-only MI attacks are ineffective at inferring membership in the low False Positive Rate regime. We propose a new attack Chameleon that leverages a novel adaptive data poisoning strategy and an efficient query selection method.
  arXiv  Detail & Related papers  (2023-10-05T18:46:27Z)
• Membership-Doctor: Comprehensive Assessment of Membership Inference Against Machine Learning Models [11.842337448801066]
  We present a large-scale measurement of different membership inference attacks and defenses. We find that some assumptions of the threat model, such as same-architecture and same-distribution between shadow and target models, are unnecessary. We are also the first to execute attacks on the real-world data collected from the Internet, instead of laboratory datasets.
  arXiv  Detail & Related papers  (2022-08-22T17:00:53Z)
• One Parameter Defense -- Defending against Data Inference Attacks via Differential Privacy [26.000487178636927]
  Machine learning models are vulnerable to data inference attacks, such as membership inference and model inversion attacks. Most existing defense methods only protect against membership inference attacks. We propose a differentially private defense method that handles both types of attacks in a time-efficient manner.
  arXiv  Detail & Related papers  (2022-03-13T06:06:24Z)
• Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
  The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data. We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
  arXiv  Detail & Related papers  (2021-03-06T05:50:29Z)
• Sampling Attacks: Amplification of Membership Inference Attacks by Repeated Queries [74.59376038272661]
  We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model. We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance. For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time.
  arXiv  Detail & Related papers  (2020-09-01T12:54:54Z)
• Membership Leakage in Label-Only Exposures [10.875144776014533]
  We propose decision-based membership inference attacks against machine learning models. In particular, we develop two types of decision-based attacks, namely transfer attack, and boundary attack. We also present new insights on the success of membership inference based on quantitative and qualitative analysis.
  arXiv  Detail & Related papers  (2020-07-30T15:27:55Z)
• Adversarial Imitation Attack [63.76805962712481]
  A practical adversarial attack should require as little as possible knowledge of attacked models. Current substitute attacks need pre-trained models to generate adversarial examples. In this study, we propose a novel adversarial imitation attack.
  arXiv  Detail & Related papers  (2020-03-28T10:02:49Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.