Membership Inference Attacks Against Semantic Segmentation Models

TL;DR

This paper conducts a comprehensive study of membership inference attacks on semantic segmentation models, revealing higher vulnerability than classification models and exploring defenses with privacy-utility trade-offs.

Contribution

It provides the first exhaustive analysis of membership inference attacks and defenses specifically for semantic segmentation models, including novel threat models involving model poisoning.

Findings

Attacks achieve high success rates on various architectures

Certain threat models increase attack effectiveness

Defenses often lead to privacy-utility trade-offs or higher costs

Abstract

Membership inference attacks aim to infer whether a data record has been used to train a target model by observing its predictions. In sensitive domains such as healthcare, this can constitute a severe privacy violation. In this work we attempt to address the existing knowledge gap by conducting an exhaustive study of membership inference attacks and defences in the domain of semantic image segmentation. Our findings indicate that for certain threat models, these learning settings can be considerably more vulnerable than the previously considered classification settings. We additionally investigate a threat model where a dishonest adversary can perform model poisoning to aid their inference and evaluate the effects that these adaptations have on the success of membership inference attacks. We quantitatively evaluate the attacks on a number of popular model architectures across a variety of semantic segmentation tasks, demonstrating that membership inference attacks in this domain can achieve a high success rate and defending against them may result in unfavourable privacy-utility trade-offs or increased computational costs.