Sampling Attacks: Amplification of Membership Inference Attacks by Repeated Queries

TL;DR

This paper introduces a novel sampling attack that can perform membership inference even with limited model access, demonstrating its effectiveness and evaluating defenses like differential privacy across various datasets.

Contribution

The paper presents a new sampling attack method capable of inferring membership with minimal model access and evaluates its effectiveness against differential privacy defenses.

Findings

Sampling attack achieves up to 100% success with label-only models.

Output perturbation provides effective privacy protection with minimal utility loss.

The attack remains effective across diverse datasets and models.

Abstract

Machine learning models have been shown to leak information violating the privacy of their training set. We focus on membership inference attacks on machine learning models which aim to determine whether a data point was used to train the victim model. Our work consists of two sides: We introduce sampling attack, a novel membership inference technique that unlike other standard membership adversaries is able to work under severe restriction of no access to scores of the victim model. We show that a victim model that only publishes the labels is still susceptible to sampling attacks and the adversary can recover up to 100% of its performance compared to when posterior vectors are provided. The other sides of our work includes experimental results on two recent membership inference attack models and the defenses against them. For defense, we choose differential privacy in the form of gradient perturbation during the training of the victim model as well as output perturbation at prediction time. We carry out our experiments on a wide range of datasets which allows us to better analyze the interaction between adversaries, defense mechanism and datasets. We find out that our proposed fast and easy-to-implement output perturbation technique offers good privacy protection for membership inference attacks at little impact on utility.