Cascading and Proxy Membership Inference Attacks

TL;DR

This paper introduces two novel membership inference attacks, CMIA and PMIA, that leverage membership dependencies and proxy strategies to significantly improve inference accuracy, highlighting increased privacy risks in machine learning models.

Contribution

The paper proposes the first attack-agnostic framework (CMIA) and a proxy-based attack (PMIA) for membership inference, advancing the state-of-the-art in privacy risk assessment.

Findings

CMIA and PMIA outperform existing MIAs in accuracy.

Both attacks are effective in low false-positive regimes.

Theoretical analyses support the effectiveness of the proposed methods.

Abstract

A Membership Inference Attack (MIA) assesses how much a trained machine learning model reveals about its training data by determining whether specific query instances were included in the dataset. We classify existing MIAs into adaptive or non-adaptive, depending on whether the adversary is allowed to train shadow models on membership queries. In the adaptive setting, where the adversary can train shadow models after accessing query instances, we highlight the importance of exploiting membership dependencies between instances and propose an attack-agnostic framework called Cascading Membership Inference Attack (CMIA), which incorporates membership dependencies via conditional shadow training to boost membership inference performance. In the non-adaptive setting, where the adversary is restricted to training shadow models before obtaining membership queries, we introduce Proxy Membership Inference Attack (PMIA). PMIA employs a proxy selection strategy that identifies samples with similar behaviors to the query instance and uses their behaviors in shadow models to perform a membership posterior odds test for membership inference. We provide theoretical analyses for both attacks, and extensive experimental results demonstrate that CMIA and PMIA substantially outperform existing MIAs in both settings, particularly in the low false-positive regime, which is crucial for evaluating privacy risks.