MIAShield: Defending Membership Inference Attacks via Preemptive
Exclusion of Members
- URL: http://arxiv.org/abs/2203.00915v1
- Date: Wed, 2 Mar 2022 07:53:21 GMT
- Title: MIAShield: Defending Membership Inference Attacks via Preemptive
Exclusion of Members
- Authors: Ismat Jarin and Birhanu Eshete
- Abstract summary: In membership inference attacks, an adversary observes the predictions of a model to determine whether a sample is part of the model's training data.
We propose MIAShield, a new MIA defense based on preemptive exclusion of member samples instead of masking the presence of a member.
We show that MIAShield effectively mitigates membership inference for a wide range of MIAs, achieves far better privacy-utility trade-off compared with state-of-the-art defenses, and remains resilient against an adaptive adversary.
- Score: 9.301268830193072
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: In membership inference attacks (MIAs), an adversary observes the predictions
of a model to determine whether a sample is part of the model's training data.
Existing MIA defenses conceal the presence of a target sample through strong
regularization, knowledge distillation, confidence masking, or differential
privacy.
We propose MIAShield, a new MIA defense based on preemptive exclusion of
member samples instead of masking the presence of a member. The key insight in
MIAShield is weakening the strong membership signal that stems from the
presence of a target sample by preemptively excluding it at prediction time
without compromising model utility. To that end, we design and evaluate a suite
of preemptive exclusion oracles leveraging model-confidence, exact or
approximate sample signature, and learning-based exclusion of member data
points. To be practical, MIAShield splits a training data into disjoint subsets
and trains each subset to build an ensemble of models. The disjointedness of
subsets ensures that a target sample belongs to only one subset, which isolates
the sample to facilitate the preemptive exclusion goal.
We evaluate MIAShield on three benchmark image classification datasets. We
show that MIAShield effectively mitigates membership inference (near random
guess) for a wide range of MIAs, achieves far better privacy-utility trade-off
compared with state-of-the-art defenses, and remains resilient against an
adaptive adversary.
Related papers
- Cascading and Proxy Membership Inference Attacks [17.7796850086875]
A Membership Inference Attack (MIA) assesses how much a trained machine learning model reveals about its training data.<n>We classify existing MIAs into adaptive or non-adaptive, depending on whether the adversary is allowed to train shadow models on membership queries.<n>In the adaptive setting, where the adversary can train shadow models after accessing query instances, we propose an attack-agnostic framework called Cascading Membership Inference Attack (CMIA)<n>In the non-adaptive setting, where the adversary is restricted to training shadow models before obtaining membership queries, we introduce Proxy Membership Inference Attack (PMIA)
arXiv Detail & Related papers (2025-07-29T00:46:09Z) - ConformalSAM: Unlocking the Potential of Foundational Segmentation Models in Semi-Supervised Semantic Segmentation with Conformal Prediction [57.930531826380836]
This work explores whether a foundational segmentation model can address label scarcity in the pixel-level vision task as an annotator for unlabeled images.<n>We propose ConformalSAM, a novel SSSS framework which first calibrates the foundation model using the target domain's labeled data and then filters out unreliable pixel labels of unlabeled data.
arXiv Detail & Related papers (2025-07-21T17:02:57Z) - Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack [21.396030274654073]
We propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership.<n>We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference.
arXiv Detail & Related papers (2025-06-03T10:09:24Z) - Enhancing Sample Selection by Cutting Mislabeled Easy Examples [62.13094877228772]
We show that mislabeled examples correctly predicted by the model early in the training process are particularly harmful to model performance.
We propose Early Cutting, which employs the model's later training state to re-select the confident subset identified early in training.
arXiv Detail & Related papers (2025-02-12T09:12:45Z) - Detecting Training Data of Large Language Models via Expectation Maximization [62.28028046993391]
We introduce EM-MIA, a novel membership inference method that iteratively refines membership scores and prefix scores via an expectation-maximization algorithm.
EM-MIA achieves state-of-the-art results on WikiMIA.
arXiv Detail & Related papers (2024-10-10T03:31:16Z) - AFD: Mitigating Feature Gap for Adversarial Robustness by Feature Disentanglement [56.90364259986057]
Adversarial fine-tuning methods enhance adversarial robustness via fine-tuning the pre-trained model in an adversarial training manner.
We propose a disentanglement-based approach to explicitly model and remove the specific latent features.
Our approach surpasses existing adversarial fine-tuning methods and adversarial training baselines.
arXiv Detail & Related papers (2024-01-26T08:38:57Z) - Model Stealing Attack against Graph Classification with Authenticity, Uncertainty and Diversity [80.16488817177182]
GNNs are vulnerable to the model stealing attack, a nefarious endeavor geared towards duplicating the target model via query permissions.
We introduce three model stealing attacks to adapt to different actual scenarios.
arXiv Detail & Related papers (2023-12-18T05:42:31Z) - MIA-BAD: An Approach for Enhancing Membership Inference Attack and its
Mitigation with Federated Learning [6.510488168434277]
The membership inference attack (MIA) is a popular paradigm for compromising the privacy of a machine learning (ML) model.
We propose an enhanced Membership Inference Attack with the Batch-wise generated Attack dataset (MIA-BAD)
We show how training an ML model through FL, has some distinct advantages and investigate how the threat introduced with the proposed MIA-BAD approach can be mitigated with FL approaches.
arXiv Detail & Related papers (2023-11-28T06:51:26Z) - Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration [32.15773300068426]
Membership Inference Attacks aim to infer whether a target data record has been utilized for model training.
We propose a Membership Inference Attack based on Self-calibrated Probabilistic Variation (SPV-MIA)
arXiv Detail & Related papers (2023-11-10T13:55:05Z) - When Fairness Meets Privacy: Exploring Privacy Threats in Fair Binary Classifiers via Membership Inference Attacks [17.243744418309593]
We propose an efficient MIA method against fairness-enhanced models based on fairness discrepancy results.
We also explore potential strategies for mitigating privacy leakages.
arXiv Detail & Related papers (2023-11-07T10:28:17Z) - Ensemble Modeling for Multimodal Visual Action Recognition [50.38638300332429]
We propose an ensemble modeling approach for multimodal action recognition.
We independently train individual modality models using a variant of focal loss tailored to handle the long-tailed distribution of the MECCANO [21] dataset.
arXiv Detail & Related papers (2023-08-10T08:43:20Z) - Membership Inference Attacks against Synthetic Data through Overfitting
Detection [84.02632160692995]
We argue for a realistic MIA setting that assumes the attacker has some knowledge of the underlying data distribution.
We propose DOMIAS, a density-based MIA model that aims to infer membership by targeting local overfitting of the generative model.
arXiv Detail & Related papers (2023-02-24T11:27:39Z) - MAPS: A Noise-Robust Progressive Learning Approach for Source-Free
Domain Adaptive Keypoint Detection [76.97324120775475]
Cross-domain keypoint detection methods always require accessing the source data during adaptation.
This paper considers source-free domain adaptive keypoint detection, where only the well-trained source model is provided to the target domain.
arXiv Detail & Related papers (2023-02-09T12:06:08Z) - RelaxLoss: Defending Membership Inference Attacks without Losing Utility [68.48117818874155]
We propose a novel training framework based on a relaxed loss with a more achievable learning target.
RelaxLoss is applicable to any classification model with added benefits of easy implementation and negligible overhead.
Our approach consistently outperforms state-of-the-art defense mechanisms in terms of resilience against MIAs.
arXiv Detail & Related papers (2022-07-12T19:34:47Z) - Holistic Approach to Measure Sample-level Adversarial Vulnerability and
its Utility in Building Trustworthy Systems [17.707594255626216]
Adversarial attack perturbs an image with an imperceptible noise, leading to incorrect model prediction.
We propose a holistic approach for quantifying adversarial vulnerability of a sample by combining different perspectives.
We demonstrate that by reliably estimating adversarial vulnerability at the sample level, it is possible to develop a trustworthy system.
arXiv Detail & Related papers (2022-05-05T12:36:17Z) - Sampling Attacks: Amplification of Membership Inference Attacks by
Repeated Queries [74.59376038272661]
We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model.
We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance.
For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time.
arXiv Detail & Related papers (2020-09-01T12:54:54Z) - Membership Leakage in Label-Only Exposures [10.875144776014533]
We propose decision-based membership inference attacks against machine learning models.
In particular, we develop two types of decision-based attacks, namely transfer attack, and boundary attack.
We also present new insights on the success of membership inference based on quantitative and qualitative analysis.
arXiv Detail & Related papers (2020-07-30T15:27:55Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.