GLiRA: Black-Box Membership Inference Attack via Knowledge Distillation

TL;DR

This paper introduces GLiRA, a novel black-box membership inference attack leveraging knowledge distillation to significantly improve attack efficiency and outperform existing methods across various image classification models.

Contribution

We propose GLiRA, a distillation-guided approach that enhances likelihood ratio-based membership inference attacks in black-box neural networks, addressing a key privacy vulnerability.

Findings

GLiRA outperforms current state-of-the-art attacks in black-box settings.

Knowledge distillation improves the likelihood ratio attack efficiency.

The method is effective across multiple datasets and models.

Abstract

While Deep Neural Networks (DNNs) have demonstrated remarkable performance in tasks related to perception and control, there are still several unresolved concerns regarding the privacy of their training data, particularly in the context of vulnerability to Membership Inference Attacks (MIAs). In this paper, we explore a connection between the susceptibility to membership inference attacks and the vulnerability to distillation-based functionality stealing attacks. In particular, we propose {GLiRA}, a distillation-guided approach to membership inference attack on the black-box neural network. We observe that the knowledge distillation significantly improves the efficiency of likelihood ratio of membership inference attack, especially in the black-box setting, i.e., when the architecture of the target model is unknown to the attacker. We evaluate the proposed method across multiple image classification datasets and models and demonstrate that likelihood ratio attacks when guided by the knowledge distillation, outperform the current state-of-the-art membership inference attacks in the black-box setting.