TransMIA: Membership Inference Attacks Using Transfer Shadow Training

TL;DR

This paper introduces TransMIA, a novel transfer learning-based membership inference attack that leverages transfer shadow training to enhance attack performance, revealing privacy vulnerabilities in transferred models.

Contribution

The paper proposes a transfer shadow training technique for membership inference attacks, significantly improving attack effectiveness with limited shadow data, and analyzes different transfer learning approaches.

Findings

TransMIA outperforms existing methods in attack accuracy.

Transfer shadow training enhances inference performance with limited data.

Different transfer learning strategies impact attack success rates.

Abstract

Transfer learning has been widely studied and gained increasing popularity to improve the accuracy of machine learning models by transferring some knowledge acquired in different training. However, no prior work has pointed out that transfer learning can strengthen privacy attacks on machine learning models. In this paper, we propose TransMIA (Transfer learning-based Membership Inference Attacks), which use transfer learning to perform membership inference attacks on the source model when the adversary is able to access the parameters of the transferred model. In particular, we propose a transfer shadow training technique, where an adversary employs the parameters of the transferred model to construct shadow models, to significantly improve the performance of membership inference when a limited amount of shadow training data is available to the adversary. We evaluate our attacks using two real datasets, and show that our attacks outperform the state-of-the-art that does not use our transfer shadow training technique. We also compare four combinations of the learning-based/entropy-based approach and the fine-tuning/freezing approach, all of which employ our transfer shadow training technique. Then we examine the performance of these four approaches based on the distributions of confidence values, and discuss possible countermeasures against our attacks.