GLiRA: Black-Box Membership Inference Attack via Knowledge Distillation
This addresses privacy concerns for users of DNNs by enhancing attack capabilities, but it is incremental as it builds on existing likelihood ratio and distillation methods.
The paper tackles the problem of privacy vulnerabilities in deep neural networks by proposing GLiRA, a black-box membership inference attack method that uses knowledge distillation to improve efficiency. The result shows that this approach outperforms current state-of-the-art attacks in black-box settings across multiple image classification datasets and models.
While Deep Neural Networks (DNNs) have demonstrated remarkable performance in tasks related to perception and control, there are still several unresolved concerns regarding the privacy of their training data, particularly in the context of vulnerability to Membership Inference Attacks (MIAs). In this paper, we explore a connection between the susceptibility to membership inference attacks and the vulnerability to distillation-based functionality stealing attacks. In particular, we propose {GLiRA}, a distillation-guided approach to membership inference attack on the black-box neural network. We observe that the knowledge distillation significantly improves the efficiency of likelihood ratio of membership inference attack, especially in the black-box setting, i.e., when the architecture of the target model is unknown to the attacker. We evaluate the proposed method across multiple image classification datasets and models and demonstrate that likelihood ratio attacks when guided by the knowledge distillation, outperform the current state-of-the-art membership inference attacks in the black-box setting.