Inference Attacks: A Taxonomy, Survey, and Promising Directions

TL;DR

This paper provides a comprehensive taxonomy and survey of inference attacks in machine learning, analyzing their types, workflows, defenses, and future research directions to address privacy concerns in MLaaS.

Contribution

It introduces the 3MP taxonomy for inference attacks, systematically analyzes attack types and defenses, and highlights promising future research directions.

Findings

Proposes the 3MP taxonomy for inference attacks.

Analyzes strengths and weaknesses of each attack type.

Identifies promising directions for future research.

Abstract

The prosperity of machine learning has also brought people's concerns about data privacy. Among them, inference attacks can implement privacy breaches in various MLaaS scenarios and model training/prediction phases. Specifically, inference attacks can perform privacy inference on undisclosed target training sets based on outputs of the target model, including but not limited to statistics, membership, semantics, data representation, etc. For instance, infer whether the target data has the characteristics of AIDS. In addition, the rapid development of the machine learning community in recent years, especially the surge of model types and application scenarios, has further stimulated the inference attacks' research. Thus, studying inference attacks and analyzing them in depth is urgent and significant. However, there is still a gap in the systematic discussion of inference attacks from taxonomy, global perspective, attack, and defense perspectives. This survey provides an in-depth and comprehensive inference of attacks and corresponding countermeasures in ML-as-a-service based on taxonomy and the latest researches. Without compromising researchers' intuition, we first propose the 3MP taxonomy based on the community research status, trying to normalize the confusing naming system of inference attacks. Also, we analyze the pros and cons of each type of inference attack, their workflow, countermeasure, and how they interact with other attacks. In the end, we point out several promising directions for researchers from a more comprehensive and novel perspective.