Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Chameleon: Increasing Label-Only Membership Leakage with Adaptive Poisoning

Harsh Chaudhari, Giorgio Severi, Alina Oprea, Jonathan Ullman

TL;DR

Chameleon addresses a critical privacy risk in label-only membership inference by introducing an adaptive data-poisoning strategy and a neighborhood-based proxy for confidences, enabling strong leakage with as few as $64$ queries per point. The attack extends to multiple challenge points with bounded overhead and demonstrates substantial improvements over prior label-only MI methods across vision and tabular data, including CIFAR-10/100 and Purchase-100, with TPR gains up to roughly $23\%$ at $1\%$ FPR and notable AUC improvements. A theoretical MI analysis shows poisoning can amplify leakage up to an optimal point, aligning with empirical results, while experiments reveal a clear defense-utility trade-off for differential privacy. The work highlights practical privacy risks in label-only settings and suggests DP as a defense, albeit at the cost of reduced model utility, while also outlining future directions for low-FPR leakage without poisoning and more efficient defenses.

Abstract

The integration of machine learning (ML) in numerous critical applications introduces a range of privacy concerns for individuals who provide their datasets for model training. One such privacy risk is Membership Inference (MI), in which an attacker seeks to determine whether a particular data sample was included in the training dataset of a model. Current state-of-the-art MI attacks capitalize on access to the model's predicted confidence scores to successfully perform membership inference, and employ data poisoning to further enhance their effectiveness. In this work, we focus on the less explored and more realistic label-only setting, where the model provides only the predicted label on a queried sample. We show that existing label-only MI attacks are ineffective at inferring membership in the low False Positive Rate (FPR) regime. To address this challenge, we propose a new attack Chameleon that leverages a novel adaptive data poisoning strategy and an efficient query selection method to achieve significantly more accurate membership inference than existing label-only attacks, especially at low FPRs.

Chameleon: Increasing Label-Only Membership Leakage with Adaptive Poisoning

TL;DR

Chameleon addresses a critical privacy risk in label-only membership inference by introducing an adaptive data-poisoning strategy and a neighborhood-based proxy for confidences, enabling strong leakage with as few as queries per point. The attack extends to multiple challenge points with bounded overhead and demonstrates substantial improvements over prior label-only MI methods across vision and tabular data, including CIFAR-10/100 and Purchase-100, with TPR gains up to roughly at FPR and notable AUC improvements. A theoretical MI analysis shows poisoning can amplify leakage up to an optimal point, aligning with empirical results, while experiments reveal a clear defense-utility trade-off for differential privacy. The work highlights practical privacy risks in label-only settings and suggests DP as a defense, albeit at the cost of reduced model utility, while also outlining future directions for low-FPR leakage without poisoning and more efficient defenses.

Abstract

The integration of machine learning (ML) in numerous critical applications introduces a range of privacy concerns for individuals who provide their datasets for model training. One such privacy risk is Membership Inference (MI), in which an attacker seeks to determine whether a particular data sample was included in the training dataset of a model. Current state-of-the-art MI attacks capitalize on access to the model's predicted confidence scores to successfully perform membership inference, and employ data poisoning to further enhance their effectiveness. In this work, we focus on the less explored and more realistic label-only setting, where the model provides only the predicted label on a queried sample. We show that existing label-only MI attacks are ineffective at inferring membership in the low False Positive Rate (FPR) regime. To address this challenge, we propose a new attack Chameleon that leverages a novel adaptive data poisoning strategy and an efficient query selection method to achieve significantly more accurate membership inference than existing label-only attacks, especially at low FPRs.
Paper Structure (36 sections, 2 theorems, 17 equations, 6 figures, 6 tables, 2 algorithms)

This paper contains 36 sections, 2 theorems, 17 equations, 6 figures, 6 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Threat Model
  3. Related Work.
  4. Threat Model.
  5. Analyzing Existing Approaches.
  6. Chameleon Attack
  7. Attack Intuition
  8. Attack Details
  9. Adaptive Poisoning.
  10. Membership Neighborhood.
  11. Distinguishing Test.
  12. Label-Only MI Analysis
  13. Handling Multiple Challenge Points
  14. Adaptive Poisoning Strategy.
  15. Membership Neighborhood.
  16. ...and 21 more sections

Key Result

Theorem C.1

Given the sample $z_1$, binary membership variable $m_1$, poisoned dataset $D_p$ and the remaining training set $T$.

Figures (6)

  • Figure 1: Distribution of confidence scores for two challenge points (a Car and a Ship), highlighting the impact of poisoning on two different points of the CIFAR-10 dataset. Each row denotes the shift in model confidences (wrt. true label) for IN and OUT models with introduction of poisoned samples.
  • Figure 2: Impact of poisoning on confidences of IN and OUT models (wrt. the true label) for a challenge point in CIFAR-10 dataset.
  • Figure 3: Effect of poisoning on the scaled confidence (logit) distribution of a challenge point and its neighbors. Both the IN and OUT distributions of the near neighbor, unlike the far-away neighbor, exhibit a behavior similar to the challenge point distribution before and after introduction of poisoning.
  • Figure 4: Comparing Theoretical and Practical attack under poisoning.
  • Figure 5: Ablations for Adaptive Poisoning stage on CIFAR-10 dataset. We provide experiments by varying vaious hyperparameters used in the Adaptive Poisoning stage.
  • ...and 1 more figures

Theorems & Definitions (4)

  • Theorem C.1
  • proof
  • Theorem C.2
  • proof