ACM Digital Library home
ACM home
Advanced Search
10.1145/3548606.3560675acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Open Access

Enhanced Membership Inference Attacks against Machine Learning Models

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2022Pages 3093–3106https://doi.org/10.1145/3548606.3560675
Published:07 November 2022Publication History
  • 1citation
  • 778
  • Downloads
Metrics
Total Citations1
Total Downloads778
Last 12 Months778
Last 6 weeks235

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Enhanced Membership Inference Attacks against Machine Learning Models
Pages 3093–3106
PreviousChapterNextChapter

ABSTRACT

How much does a machine learning algorithm leak about its training data, and why? Membership inference attacks are used as an auditing tool to quantify this leakage. In this paper, we present a comprehensivehypothesis testing framework that enables us not only to formally express the prior work in a consistent way, but also to design new membership inference attacks that use reference models to achieve a significantly higher power (true positive rate) for any (false positive rate) error. More importantly, we explainwhy different attacks perform differently. We present a template for indistinguishability games, and provide an interpretation of attack success rate across different instances of the game. We discuss various uncertainties of attackers that arise from the formulation of the problem, and show how our approach tries to minimize the attack uncertainty to the one bit secret about the presence or absence of a data point in the training set. We perform adifferential analysis between all types of attacks, explain the gap between them, and show what causes data points to be vulnerable to an attack (as the reasons vary due to different granularities of memorization, from overfitting to conditional memorization). Our auditing framework is openly accessible as part of thePrivacy Meter software tool.

Skip Supplemental Material Section

Supplemental Material

CCS22-fpb586.mp4

Presentation video - short version

mp4

25.6 MB

Play streamDownload

References

  1. Michael Backes, Pascal Berrang, Mathias Humbert, and Praveen Manoharan. 2016. Membership privacy in MicroRNA-based studies. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 319--330.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Nicholas Carlini, Steve Chien, Milad Nasr, Shuang Song, Andreas Terzis, and Florian Tramer. 2022. Membership inference attacks from first principles. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1897--1914.Google ScholarGoogle ScholarCross RefCross Ref
  3. Nicholas Carlini, Chang Liu, Úlfar Erlingsson, Jernej Kos, and Dawn Song. 2019. The secret sharer: Evaluating and testing unintended memorization in neural networks. In 28th $$USENIX$$ Security Symposium ($$USENIX$$ Security 19). 267--284.Google ScholarGoogle Scholar
  4. Hongyan Chang and Reza Shokri. 2021. On the privacy risks of algorithmic fairness. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 292--303.Google ScholarGoogle ScholarCross RefCross Ref
  5. Christopher A Choquette-Choo, Florian Tramer, Nicholas Carlini, and Nicolas Papernot. 2021. Label-only membership inference attacks. In International Conference on Machine Learning. 1964--1974.Google ScholarGoogle Scholar
  6. Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. Calibrating noise to sensitivity in private data analysis. In Theory of cryptography conference. 265--284.Google ScholarGoogle Scholar
  7. Cynthia Dwork, Adam Smith, Thomas Steinke, and Jonathan Ullman. 2017. Exposed! a survey of attacks on private data. Annual Review of Statistics and Its Application (2017), 61--84.Google ScholarGoogle Scholar
  8. Cynthia Dwork, Adam Smith, Thomas Steinke, Jonathan Ullman, and Salil Vadhan. 2015. Robust traceability from trace amounts. In Foundations of Computer Science (FOCS), 2015 IEEE 56th Annual Symposium on. 650--669.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Úlfar Erlingsson, Ilya Mironov, Ananth Raghunathan, and Shuang Song. 2019. That which we call private. arXiv preprint arXiv:1908.03566 (2019).Google ScholarGoogle Scholar
  10. Vitaly Feldman. 2020. Does learning require memorization? a short tale about a long tail. In Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing. 954--959.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John V Pearson, Dietrich A Stephan, Stanley F Nelson, and David W Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS genetics (2008), e1000167.Google ScholarGoogle Scholar
  12. Thomas Humphries, Matthew Rafuse, Lindsey Tulloch, Simon Oya, Ian Goldberg, Urs Hengartner, and Florian Kerschbaum. 2020. Differentially Private Learning Does Not Bound Membership Inference. arXiv preprint arXiv:2010.12112 (2020).Google ScholarGoogle Scholar
  13. Matthew Jagielski, Jonathan Ullman, and Alina Oprea. 2020. Auditing differentially private machine learning: How private is private sgd? Advances in Neural Information Processing Systems , Vol. 33 (2020), 22205--22216.Google ScholarGoogle Scholar
  14. Bargav Jayaraman and David Evans. 2019. Evaluating differentially private machine learning in practice. In 28th $$USENIX$$ Security Symposium ($$USENIX$$ Security 19). 1895--1912.Google ScholarGoogle Scholar
  15. Klas Leino and Matt Fredrikson. 2020. Stolen memories: Leveraging model memorization for calibrated white-box membership inference. In 29th $$USENIX$$ Security Symposium ($$USENIX$$ Security 20). 1605--1622.Google ScholarGoogle Scholar
  16. Zheng Li and Yang Zhang. 2021. Membership leakage in label-only exposures. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 880--895.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Yunhui Long, Vincent Bindschaedler, Lei Wang, Diyue Bu, Xiaofeng Wang, Haixu Tang, Carl A Gunter, and Kai Chen. 2018. Understanding membership inferences on well-generalized learning models. arXiv preprint arXiv:1802.04889 (2018).Google ScholarGoogle Scholar
  18. Yunhui Long, Lei Wang, Diyue Bu, Vincent Bindschaedler, Xiaofeng Wang, Haixu Tang, Carl A Gunter, and Kai Chen. 2020. A Pragmatic Approach to Membership Inferences on Machine Learning Models. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 521--534.Google ScholarGoogle ScholarCross RefCross Ref
  19. Mani Malek Esmaeili, Ilya Mironov, Karthik Prasad, Igor Shilov, and Florian Tramer. 2021. Antipodes of label differential privacy: Pate and alibi. Advances in Neural Information Processing Systems , Vol. 34 (2021), 6934--6945.Google ScholarGoogle Scholar
  20. Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov. 2019. Exploiting unintended feature leakage in collaborative learning. In 2019 IEEE Symposium on Security and Privacy (SP). 691--706.Google ScholarGoogle ScholarCross RefCross Ref
  21. Sasi Kumar Murakonda and Reza Shokri. 2020. ML Privacy Meter: Aiding regulatory compliance by quantifying the privacy risks of machine learning. arXiv preprint arXiv:2007.09339 (2020).Google ScholarGoogle Scholar
  22. Sasi Kumar Murakonda, Reza Shokri, and George Theodorakopoulos. 2021. Quantifying the Privacy Risks of Learning High-Dimensional Graphical Models. In International Conference on Artificial Intelligence and Statistics. 2287--2295.Google ScholarGoogle Scholar
  23. M. Nasr, R. Shokri, and A. Houmansadr. 2019. Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning. In IEEE Symposium on Security and Privacy (SP). 1022--1036.Google ScholarGoogle Scholar
  24. Milad Nasr, Shuang Song, Abhradeep Thakurta, Nicolas Papernot, and Nicholas Carlin. 2021. Adversary instantiation: Lower bounds for differentially private machine learning. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 866--882.Google ScholarGoogle ScholarCross RefCross Ref
  25. Md Atiqur Rahman, Tanzila Rahman, Robert Laganiere, Noman Mohammed, and Yang Wang. 2018. Membership Inference Attack against Differentially Private Deep Learning Model. Transactions on Data Privacy (2018), 61--79.Google ScholarGoogle Scholar
  26. Alexandre Sablayrolles, Matthijs Douze, Cordelia Schmid, Yann Ollivier, and Hervé Jégou. 2019. White-box vs black-box: Bayes optimal strategies for membership inference. In International Conference on Machine Learning. 5558--5567.Google ScholarGoogle Scholar
  27. Ahmed Salem, Yang Zhang, Mathias Humbert, Mario Fritz, and Michael Backes. 2019. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. In Network and Distributed Systems Security Symposium 2019. Internet Society.Google ScholarGoogle Scholar
  28. Sriram Sankararaman, Guillaume Obozinski, Michael I Jordan, and Eran Halperin. 2009. Genomic privacy and limits of individual detection in a pool. Nature genetics, Vol. 41, 9 (2009), 965--967.Google ScholarGoogle Scholar
  29. Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In Security and Privacy (SP), 2017 IEEE Symposium on. 3--18.Google ScholarGoogle ScholarCross RefCross Ref
  30. Liwei Song and Prateek Mittal. 2021. Systematic evaluation of privacy risks of machine learning models. In 30th $$USENIX$$ Security Symposium ($$USENIX$$ Security 21).Google ScholarGoogle Scholar
  31. Anvith Thudi, Ilia Shumailov, Franziska Boenisch, and Nicolas Papernot. 2022. Bounding Membership Inference. arXiv preprint arXiv:2202.12232 (2022).Google ScholarGoogle Scholar
  32. Florian Tramèr, Reza Shokri, Ayrton San Joaquin, Hoang Le, Matthew Jagielski, Sanghyun Hong, and Nicholas Carlini. 2022. Truth Serum: Poisoning Machine Learning Models to Reveal Their Secrets. arXiv preprint arXiv:2204.00032 (2022).Google ScholarGoogle Scholar
  33. Florian Tramer, Andreas Terzis, Thomas Steinke, Shuang Song, Matthew Jagielski, and Nicholas Carlini. 2022. Debugging Differential Privacy: A Case Study for Privacy Auditing. arXiv preprint arXiv:2202.12219 (2022).Google ScholarGoogle Scholar
  34. Gerrit van den Burg and Chris Williams. 2021. On memorization in probabilistic deep generative models. Advances in Neural Information Processing Systems , Vol. 34 (2021).Google ScholarGoogle Scholar
  35. Lauren Watson, Chuan Guo, Graham Cormode, and Alexandre Sablayrolles. 2021. On the Importance of Difficulty Calibration in Membership Inference Attacks. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  36. Jiayuan Ye, Aadyaa Maddi, Sasi Kumar Murakonda, Vincent Bindschaedler, and Reza Shokri. 2022. Enhanced membership inference attacks against machine learning models. arXiv preprint arXiv:2111.09679 (2022).Google ScholarGoogle Scholar
  37. Samuel Yeom, Irene Giacomelli, Matt Fredrikson, and Somesh Jha. 2018. Privacy risk in machine learning: Analyzing the connection to overfitting. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF). 268--282. ioGoogle ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Enhanced Membership Inference Attacks against Machine Learning Models

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      View Table of Contents
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!