Chameleon: Increasing Label-Only Membership Leakage with Adaptive Poisoning
This addresses privacy risks for individuals whose data is used in ML training, by enhancing attack capabilities in realistic scenarios, though it is incremental as it builds on existing poisoning strategies.
The paper tackled the problem of membership inference attacks in the label-only setting, where attackers only have access to predicted labels, and showed that existing attacks are ineffective at low false positive rates. The proposed Chameleon attack achieved significantly more accurate membership inference than prior methods, with concrete improvements in low FPR regimes.
The integration of machine learning (ML) in numerous critical applications introduces a range of privacy concerns for individuals who provide their datasets for model training. One such privacy risk is Membership Inference (MI), in which an attacker seeks to determine whether a particular data sample was included in the training dataset of a model. Current state-of-the-art MI attacks capitalize on access to the model's predicted confidence scores to successfully perform membership inference, and employ data poisoning to further enhance their effectiveness. In this work, we focus on the less explored and more realistic label-only setting, where the model provides only the predicted label on a queried sample. We show that existing label-only MI attacks are ineffective at inferring membership in the low False Positive Rate (FPR) regime. To address this challenge, we propose a new attack Chameleon that leverages a novel adaptive data poisoning strategy and an efficient query selection method to achieve significantly more accurate membership inference than existing label-only attacks, especially at low FPRs.