Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, Michael Backes

TL;DR

The paper broadens the scope of membership inference attacks by relaxing prior assumptions to model- and data-independence, and introduces three adversaries that perform attacks with progressively fewer requirements. It demonstrates across eight diverse datasets that membership information can be inferred under realistic, low-cost scenarios, including data-transfer and training-free attacks. To counter these risks, it proposes dropout and model stacking as effective defenses that preserve much of the model's utility. The work underscores substantial privacy risks in MLaaS and provides practical, scalable defense strategies with broad applicability across classifiers and data domains.

Abstract

Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications. However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains. In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

TL;DR

The paper broadens the scope of membership inference attacks by relaxing prior assumptions to model- and data-independence, and introduces three adversaries that perform attacks with progressively fewer requirements. It demonstrates across eight diverse datasets that membership information can be inferred under realistic, low-cost scenarios, including data-transfer and training-free attacks. To counter these risks, it proposes dropout and model stacking as effective defenses that preserve much of the model's utility. The work underscores substantial privacy risks in MLaaS and provides practical, scalable defense strategies with broad applicability across classifiers and data domains.

Abstract

Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications. However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains. In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.

Paper Structure

This paper contains 22 sections, 1 equation, 19 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Membership Inference Against Machine Learning Models
  4. Datasets Description
  5. Towards Model Independent Membership Inference Attacks (Adversary 1)
  6. Threat Model
  7. One Shadow Model
  8. Target Model Structure
  9. Towards Data Independent Membership Inference Attacks (Adversary 2)
  10. Threat Model
  11. Evaluation
  12. Evaluation On MLaaS
  13. Model and Data Independent Membership Inference Attack without Training (Adversary 3)
  14. Threat Model
  15. Methodology
  16. ...and 7 more sections

Figures (19)

  • Figure 1: Comparison of the first adversary's performance with Shokri et al.'s using all datasets. (a) precision, (b) recall.
  • Figure 2: The relation between the overfitting level of the target model measured by the difference between prediction accuracy on training set and testing set (x-axis) and membership inference attack performance (y-axis). (a) precision, (b) recall.
  • Figure 3: The relation between the number of epochs used during the training of the target model (x-axis) and membership inference attack performance (y-axis). (a) precision, (b) recall.
  • Figure 4: The effect of the number of posterior probabilities (used as features) on the first adversary's performance. (a) precision, (b) recall.
  • Figure 5: The effect of the number of shadow models on the first adversary's performance. (a) precision, (b) recall.
  • ...and 14 more figures