Machine learning (ML) has been widely adopted in various privacy-critical applications, e.g., face recognition and medical image analysis. However, recent research has shown that ML models are vulnerable to attacks against their training data. Membership inference is one major attack in this domain: Given a data sample and model, an adversary aims to determine whether the sample is part of the model's training set. Existing membership inference attacks leverage the confidence scores returned by the model as their inputs (score-based attacks). However, these attacks can be easily mitigated if the model only exposes the predicted label, i.e., the final model decision. In this paper, we propose decision-based membership inference attacks and demonstrate that label-only exposures are also vulnerable to membership leakage. In particular, we develop two types of decision-based attacks, namely transfer attack, and boundary attack. Empirical evaluation shows that our decision-based attacks can achieve remarkable performance, and even outperform the previous score-based attacks in some cases. We further present new insights on the success of membership inference based on quantitative and qualitative analysis, i.e., member samples of a model are more distant to the model's decision boundary than non-member samples. Finally, we evaluate multiple defense mechanisms against our decision-based attacks and show that our two types of attacks can bypass most of these defenses.
翻译:在各种隐私关键应用中广泛采用机器学习(ML),例如面部识别和医学图像分析。然而,最近的研究表明,ML模型很容易受到其培训数据受到攻击。成员推断是这一领域的一个重大攻击:鉴于数据抽样和模型,对手的目的是确定样本是否是模型培训的一部分。现有成员推断攻击利用模型作为投入(以核心为基础的攻击)所恢复的信任分数。然而,如果模型仅披露预测的标签,即最后示范决定,这些攻击是可以很容易减轻的。在本文件中,我们提议以决定为基础的成员推断攻击,并表明仅以标签为对象的接触也容易导致成员流失。特别是,我们开发了两种基于决定的攻击类型,即转移攻击和边界攻击。实情评估表明,我们基于决定的攻击可以取得显著的性能,甚至在某些情况下,甚至超越先前的得分攻击。我们进一步展示关于根据定量和定性分析,即最后的示范决定,即我们基于决定的选区攻击的根据决定进行的成功的新见解,即根据定量和定性分析,即,我们提出的基于决定的选区攻击,即,以标签为基础的攻击也表明我们大多数国防决定类型中的一种远程模型,我们对这些攻击的防御决定的抽样,可以表明,我们最远距离的防御攻击的模型,对多数的边界攻击的抽样,我们可以表明,对不甚甚甚甚甚的防御攻击的边界攻击的边界攻击的模型,最后显示,对多数。