LoMime: Query-Efficient Membership Inference using Model Extraction in Label-Only Settings
Abdullah Caglar Oksuz, Anisa Halimi, Erman Ayday
TL;DR
This paper introduces LoMime, a cost-effective label-only membership inference attack that uses model extraction to significantly reduce query costs while maintaining high accuracy, even under strict black-box constraints.
Contribution
LoMime presents a novel transferability-based framework that shifts query overhead to a one-time model extraction phase, enabling efficient membership inference in label-only settings.
Findings
Achieves membership inference accuracy within ±1% of the target model.
Reduces query costs to about 1% of training samples.
Maintains effectiveness against standard defenses.
Abstract
Membership inference attacks (MIAs) threaten the privacy of machine learning models by revealing whether a specific data point was used during training. Existing MIAs often rely on impractical assumptions such as access to public datasets, shadow models, confidence scores, or training data distribution knowledge and making them vulnerable to defenses like confidence masking and adversarial regularization. Label-only MIAs, even under strict constraints suffer from high query requirements per sample. We propose a cost-effective label-only MIA framework based on transferability and model extraction. By querying the target model M using active sampling, perturbation-based selection, and synthetic data, we extract a functionally similar surrogate S on which membership inference is performed. This shifts query overhead to a one-time extraction phase, eliminating repeated queries to M .…
Peer Reviews
Decision·Submitted to ICLR 2026
* The efficiency of label-only membership inference attacks is an important and practical research problem. * The experimental results show that the proposed method is computationally efficient while achieving good attack performance.
* It is unclear why the main experiments are not compared with existing methods. Although the authors state on Page 8 that previous approaches are too costly in terms of queries, a comparison under the same setting would provide a clearer understanding of the trade-off between efficiency and effectiveness. Moreover, state-of-the-art MIA methods such as LiRA should also be included in the comparison. * Several recent label-only MIA methods that focus on efficiency are not mentioned or compared, s
1. Good writing, easy to follow. 2. The paper tries to solve an important problem.
1. **Incremental contribution**: While the paper presents a unified two-stage attack pipeline, much of its methodology is composed of components adapted from prior work. On the extraction side, the query-efficient active sampling strategy closely follows MARICH, while the synthetic-perturbation-based data generation is derived from AUTOLYCUS. On the inference side, the membership attack relies on standard label-only decision-boundary measurements similar to earlier works. As a result, the novelt
The paper presents a reasonable evaluation with ROC curves on three datasets that allow the reader to understand what the attack does.
My primary concern with this paper is that all of the evaluations are for ML models that are *severely* overfit. As the paper writes: "Note that all target models are overfitted and achieve close to perfect training accuracy (≈ 100%)". This is the wrong approach to take for MIA schemes: because we know that the primary driver of membership inference is overfitting, running an attack when the defenses are most vulnerable doesn't make sense (Carlini et al. 2022). I would be much more interested in
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Privacy-Preserving Technologies in Data · Advanced Graph Neural Networks