TY - GEN
T1 - A Pragmatic Approach to Membership Inferences on Machine Learning Models
AU - Long, Yunhui
AU - Wang, Lei
AU - Bu, Diyue
AU - Bindschaedler, Vincent
AU - Wang, Xiaofeng
AU - Tang, Haixu
AU - Gunter, Carl A.
AU - Chen, Kai
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/9
Y1 - 2020/9
N2 - Membership Inference Attacks (MIAs) aim to determine the presence of a record in a machine learning model's training data by querying the model. Recent work has demonstrated the effectiveness of MIA on various machine learning models and corresponding defenses have been proposed. However, both attacks and defenses have focused on an adversary that indiscriminately attacks all the records without regard to the cost of false positives or negatives. In this work, we revisit membership inference attacks from the perspective of a pragmatic adversary who carefully selects targets and make predictions conservatively. We design a new evaluation methodology that allows us to evaluate the membership privacy risk at the level of individuals and not only in aggregate. We experimentally demonstrate that highly vulnerable records exist even when the aggregate attack precision is close to 50% (baseline). Specifically, on the MNIST dataset, our pragmatic adversary achieves a precision of 95.05% whereas the prior attack only achieves a precision of 51.7%.
AB - Membership Inference Attacks (MIAs) aim to determine the presence of a record in a machine learning model's training data by querying the model. Recent work has demonstrated the effectiveness of MIA on various machine learning models and corresponding defenses have been proposed. However, both attacks and defenses have focused on an adversary that indiscriminately attacks all the records without regard to the cost of false positives or negatives. In this work, we revisit membership inference attacks from the perspective of a pragmatic adversary who carefully selects targets and make predictions conservatively. We design a new evaluation methodology that allows us to evaluate the membership privacy risk at the level of individuals and not only in aggregate. We experimentally demonstrate that highly vulnerable records exist even when the aggregate attack precision is close to 50% (baseline). Specifically, on the MNIST dataset, our pragmatic adversary achieves a precision of 95.05% whereas the prior attack only achieves a precision of 51.7%.
KW - n/a
UR - http://www.scopus.com/inward/record.url?scp=85096607958&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85096607958&partnerID=8YFLogxK
U2 - 10.1109/EuroSP48549.2020.00040
DO - 10.1109/EuroSP48549.2020.00040
M3 - Conference contribution
AN - SCOPUS:85096607958
T3 - Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
SP - 521
EP - 534
BT - Proceedings - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
Y2 - 7 September 2020 through 11 September 2020
ER -