LeakBoost: Perceptual-Loss-Based Membership Inference Attack

TL;DR

LeakBoost addresses privacy risks in membership inference by introducing an active interrogation mechanism that optimizes a perceptual loss over internal activations to generate interrogation images. These boosted samples are fed into existing detectors (notably GLiR), yielding substantial gains in low-FPR leakage across CIFAR-10/100 and architectures including ViT-4 and AlexNet, with the best results arising from short, low-learning-rate optimizations and deeper representations. The method is detector-agnostic and lightweight, reframing MIA as a dynamic, interrogation-based problem and providing a practical tool for privacy assessment and defense evaluation. By linking representational geometry to memorization, LeakBoost offers insights into privacy risks in white-box settings and suggests directions for cross-modal extensions and defense research.

Abstract

Membership inference attacks (MIAs) aim to determine whether a sample was part of a model's training set, posing serious privacy risks for modern machine-learning systems. Existing MIAs primarily rely on static indicators, such as loss or confidence, and do not fully leverage the dynamic behavior of models when actively probed. We propose LeakBoost, a perceptual-loss-based interrogation framework that actively probes a model's internal representations to expose hidden membership signals. Given a candidate input, LeakBoost synthesizes an interrogation image by optimizing a perceptual (activation-space) objective, amplifying representational differences between members and non-members. This image is then analyzed by an off-the-shelf membership detector, without modifying the detector itself. When combined with existing membership inference methods, LeakBoost achieves substantial improvements at low false-positive rates across multiple image classification datasets and diverse neural network architectures. In particular, it raises AUC from near-chance levels (0.53-0.62) to 0.81-0.88, and increases TPR at 1 percent FPR by over an order of magnitude compared to strong baseline attacks. A detailed sensitivity analysis reveals that deeper layers and short, low-learning-rate optimization produce the strongest leakage, and that improvements concentrate in gradient-based detectors. LeakBoost thus offers a modular and computationally efficient way to assess privacy risks in white-box settings, advancing the study of dynamic membership inference.

Figures (11)

• Figure 1: LeakBoost pipeline. Given a target image $x_s$ and a target model $T_\theta$, optimize $x_g$ for T steps to minimize $\mathcal{L}_{\mathrm{perc}}(x_s;x_g)$ to obtain the interrogation image, which is then passed to a detector to infer membership.
• Figure 2: Examples of interrogation outputs. Each column shows an original image (top) and its boosted counterparts generated by optimizing toward different layer levels of the target model. Boosted images exhibit distinct noise patterns that amplify representational differences between members and non-members.
• Figure 3: ROC curves for membership inference attacks on CIFAR-10 and CIFAR-100 across four architectures. Solid lines denote baseline methods (SIF, LAEQ, GLiR, IA) and dashed green denotes LeakBoost.
• Figure 4: ROC comparison: baseline (solid) vs. boosted (dashed) for SIF, LAEQ, IA, and GLiR across CIFAR-10/100 and four architectures. Boosting substantially helps GLiR (notably on ViT-4 and AlexNet) but yields small or negative changes for SIF/LAEQ/IA.
• Figure 5: Absolute $\Delta$ pAUC@1% from boosting. Bars to the left ("GLiR") show consistent positive improvements ($\sim 10^{-3}$), while non-GLiR detectors display near-zero or negative shifts (mostly within $\pm 10^{-5}$ to $10^{-4}$).