TY - GEN
T1 - An Empirical Study of Black-Box Based Membership Inference Attacks on a Real-World Dataset
AU - Kwon, Yujeong
AU - Woo, Simon S.
AU - Koo, Hyungjoon
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - The recent advancements in artificial intelligence drive the widespread adoption of Machine-Learning-as-a-Service platforms, which offers valuable services. However, these pervasive utilities in the cloud environment unavoidably encounter security and privacy issues. In particular, a membership inference attack (MIA) poses a threat by recognizing the presence of a data sample in a training set for the victim model. Although prior MIA approaches underline privacy risks repeatedly by demonstrating experimental results with standard benchmark datasets such as MNIST and CIFAR. However, the effectiveness of such techniques on a real-world dataset remains questionable. We are the first to perform an in-depth empirical study on black-box based MIAs that hold realistic assumptions, including six metric-based and three classifier-based MIAs with the high-dimensional image dataset that consists of identification (ID) cards and driving licenses. Additionally, we introduce the Siamese-based MIA that shows similar or better performance than the state-of-the-art approaches and suggest training a shadow model with autoencoder-based reconstructed images. Our major findings show that the performance of MIA techniques against too many features may be degraded; the MIA configuration or a sample’s properties can impact the accuracy of membership inference on members and non-members.
AB - The recent advancements in artificial intelligence drive the widespread adoption of Machine-Learning-as-a-Service platforms, which offers valuable services. However, these pervasive utilities in the cloud environment unavoidably encounter security and privacy issues. In particular, a membership inference attack (MIA) poses a threat by recognizing the presence of a data sample in a training set for the victim model. Although prior MIA approaches underline privacy risks repeatedly by demonstrating experimental results with standard benchmark datasets such as MNIST and CIFAR. However, the effectiveness of such techniques on a real-world dataset remains questionable. We are the first to perform an in-depth empirical study on black-box based MIAs that hold realistic assumptions, including six metric-based and three classifier-based MIAs with the high-dimensional image dataset that consists of identification (ID) cards and driving licenses. Additionally, we introduce the Siamese-based MIA that shows similar or better performance than the state-of-the-art approaches and suggest training a shadow model with autoencoder-based reconstructed images. Our major findings show that the performance of MIA techniques against too many features may be degraded; the MIA configuration or a sample’s properties can impact the accuracy of membership inference on members and non-members.
KW - Machine Learning
KW - Membership Inference Attack
UR - https://www.scopus.com/pages/publications/105009406127
U2 - 10.1007/978-3-031-87496-3_9
DO - 10.1007/978-3-031-87496-3_9
M3 - Conference contribution
AN - SCOPUS:105009406127
SN - 9783031874956
T3 - Lecture Notes in Computer Science
SP - 121
EP - 137
BT - Foundations and Practice of Security - 17th International Symposium, FPS 2024, Revised Selected Papers
A2 - Adi, Kamel
A2 - Bourdeau, Simon
A2 - Durand, Christel
A2 - Viet Triem Tong, Valérie
A2 - Dulipovici, Alina
A2 - Kermarrec, Yvon
A2 - Garcia-Alfaro, Joaquin
PB - Springer Science and Business Media Deutschland GmbH
T2 - 17th International Symposium on Foundations and Practice of Security, FPS 2024
Y2 - 9 December 2024 through 11 December 2024
ER -