Membership Inference Attack Using Self Influence Functions
This addresses privacy threats for models trained on sensitive data, such as medical records, by improving attack effectiveness in scenarios where model internals are accessible.
The paper tackles the problem of membership inference attacks in white-box settings by proposing a novel method using self-influence scores, achieving state-of-the-art results on datasets like CIFAR-10, CIFAR-100, and Tiny ImageNet with various architectures.
Member inference (MI) attacks aim to determine if a specific data sample was used to train a machine learning model. Thus, MI is a major privacy threat to models trained on private sensitive data, such as medical records. In MI attacks one may consider the black-box settings, where the model's parameters and activations are hidden from the adversary, or the white-box case where they are available to the attacker. In this work, we focus on the latter and present a novel MI attack for it that employs influence functions, or more specifically the samples' self-influence scores, to perform the MI prediction. We evaluate our attack on CIFAR-10, CIFAR-100, and Tiny ImageNet datasets, using versatile architectures such as AlexNet, ResNet, and DenseNet. Our attack method achieves new state-of-the-art results for both training with and without data augmentations. Code is available at https://github.com/giladcohen/sif_mi_attack.