Hide in Plain Sight: Clean-Label Backdoor for Auditing Membership Inference

TL;DR

This paper introduces a stealthy, clean-label backdoor method for membership inference attacks that enables effective data auditing without detectable label alterations, enhancing privacy assessment tools.

Contribution

The paper presents a novel clean-label backdoor approach for MIAs that improves stealthiness and robustness, using an optimal trigger generated by a shadow model to mimic target model behavior.

Findings

Achieves high attack success rates across datasets and models

Outperforms baseline methods in stealth and effectiveness

Maintains natural labels, avoiding visual artifacts

Abstract

Membership inference attacks (MIAs) are critical tools for assessing privacy risks and ensuring compliance with regulations like the General Data Protection Regulation (GDPR). However, their potential for auditing unauthorized use of data remains under explored. To bridge this gap, we propose a novel clean-label backdoor-based approach for MIAs, designed specifically for robust and stealthy data auditing. Unlike conventional methods that rely on detectable poisoned samples with altered labels, our approach retains natural labels, enhancing stealthiness even at low poisoning rates. Our approach employs an optimal trigger generated by a shadow model that mimics the target model's behavior. This design minimizes the feature-space distance between triggered samples and the source class while preserving the original data labels. The result is a powerful and undetectable auditing mechanism that overcomes limitations of existing approaches, such as label inconsistencies and visual artifacts in poisoned samples. The proposed method enables robust data auditing through black-box access, achieving high attack success rates across diverse datasets and model architectures. Additionally, it addresses challenges related to trigger stealthiness and poisoning durability, establishing itself as a practical and effective solution for data auditing. Comprehensive experiments validate the efficacy and generalizability of our approach, outperforming several baseline methods in both stealth and attack success metrics.