Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack

TL;DR

This paper introduces IMIA, a novel membership inference attack leveraging adversarial sample generation iterations to effectively determine if data was part of a model's training set, revealing new privacy risks.

Contribution

The paper presents a new attack method using adversarial iteration counts for membership inference, expanding privacy evaluation techniques beyond traditional output-based methods.

Findings

Adversarial iteration count is a reliable feature for membership inference.

IMIA performs well in both black-box and white-box attack scenarios.

The method highlights potential privacy leakage via adversarial example analysis.

Abstract

Membership inference attack (MIA) has become one of the most widely used and effective methods for evaluating the privacy risks of machine learning models. These attacks aim to determine whether a specific sample is part of the model's training set by analyzing the model's output. While traditional membership inference attacks focus on leveraging the model's posterior output, such as confidence on the target sample, we propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership. We propose to infer the member properties of the target sample using the number of iterations required to generate its adversarial sample. We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference, achieving strong performance both in black-box and white-box attack scenarios. This work provides a new perspective for evaluating model privacy and highlights the potential of adversarial example-based features for privacy leakage assessment.