Sampling Attacks: Amplification of Membership Inference Attacks by Repeated Queries
This work addresses privacy vulnerabilities in machine learning for users of models that only publish labels, though it is incremental as it builds on existing attack and defense frameworks.
The authors tackled the problem of membership inference attacks on machine learning models by introducing a sampling attack that works without access to model scores, achieving up to 100% performance recovery compared to attacks with full access. They also evaluated defenses, finding that output perturbation provides good privacy protection with minimal utility impact.
Machine learning models have been shown to leak information violating the privacy of their training set. We focus on membership inference attacks on machine learning models which aim to determine whether a data point was used to train the victim model. Our work consists of two sides: We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model. We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance compared to when posterior vectors are provided. The other sides of our work includes experimental results on two recent membership inference attack models and the defenses against them. For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time. We carry out our experiments on a wide range of datasets which allows us to better analyze the interaction between adversaries, defense mechanism and datasets. We find out that our proposed fast and easy-to-implement output perturbation technique offers good privacy protection for membership inference attacks at little impact on utility.