Machine learning (ML) models have been widely applied to various applications, including image classification, text generation, audio recognition, and graph data analysis. However, recent studies have shown that ML models are vulnerable to membership inference attacks (MIAs), which aim to infer whether a data record was used to train a target model or not. MIAs on ML models can directly lead to a privacy breach. For example, via identifying the fact that a clinical record that has been used to train a model associated with a certain disease, an attacker can infer that the owner of the clinical record has the disease with a high chance. In recent years, MIAs have been shown to be effective on various ML models, e.g., classification models and generative models. Meanwhile, many defense methods have been proposed to mitigate MIAs. Although MIAs on ML models form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this paper, we conduct the first comprehensive survey on membership inference attacks and defenses. We provide the taxonomies for both attacks and defenses, based on their characterizations, and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also brings a clear picture to researchers outside this research domain. To further facilitate the researchers, we have created an online resource repository and keep updating it with the future relevant works. Interested readers can find the repository at https://github.com/HongshengHu/membership-inference-machine-learning-literature.
翻译:机器学习(ML)模型被广泛应用于各种应用,包括图像分类、文本生成、音频识别和图表数据分析;然而,最近的研究显示,ML模型容易被成员推导攻击(MIAs),目的是推断数据记录是否被用于培训目标模型。ML模型上的MIA可以直接导致侵犯隐私。例如,通过查明用于培训与某种疾病有关的模型的临床记录,攻击者可以推断临床记录拥有者患上这种疾病的可能性很大。近年来,MIA模型被证明对多种ML模型(例如分类模型和基因化模型)有效。与此同时,许多国防方法被提议用于培训目标模型。虽然ML模型上的MIA可直接导致一个新的和迅速增长的研究领域,但还没有对此专题进行系统的调查。我们仅对成员推断攻击和防御进行首次全面调查。我们为各种攻击和防御提供了税性研究领域都具有效力,我们根据这些研究领域的最新研究方向,为这些研究领域提供了明确的研究方向,我们为这些研究领域提供了明确的研究领域提供了参考数据。