An Empirical Study of Black-Box Based Membership Inference Attacks on a Real-World Dataset

EasyChair Preprint 15453

Abstract

The recent advancements in artificial intelligence drive the widespread adoption of Machine-Learning-as-a-Service platforms, which offers valuable services. However, these pervasive utilities in the cloud environment unavoidably encounter security and privacy issues. In particular, a membership inference attack (MIA) poses a threat by recognizing the presence of a data sample in a training set for the target model. Although prior MIA approaches underline privacy risks repeatedly by demonstrating experimental results with standard benchmark datasets such as MNIST and CIFAR. However, the effectiveness of such techniques on a real-world dataset remains questionable. We are the first to perform an in-depth empirical study on black-box based MIAs that hold realistic assumptions, including six metric-based and three classifier-based MIAs with the high-dimensional image dataset that consists of identification (ID) cards and driving licenses. Additionally, we introduce the Siamese-based MIA that shows similar or better performance than the state-of-the-art approaches and suggest training a shadow model with autoencoder based reconstructed images. Our major findings show that the performance of MIA techniques against too many features may be degraded; the MIA configuration or a sample’s properties can impact the accuracy of membership inference on members and non-members.

Keyphrases: Membership Inference Attack, Security and Privacy of AI, machine learning

@booklet{EasyChair:15453,
  author    = {Yujeong Kwon and Simon Woo and Hyungjoon Koo},
  title     = {An Empirical Study of Black-Box Based Membership Inference Attacks on a Real-World Dataset},
  howpublished = {EasyChair Preprint 15453},
  year      = {EasyChair, 2024}}