Label-Only Membership Inference Attacks

Christopher Choquette-Choo · Florian Tramer · Nicholas Carlini · Nicolas Papernot

Keywords: [ Privacy, Anonymity, and Security ] [ Social Aspects of Machine Learning ]

[ Abstract ]
[ Paper ] [ Visit Poster at Spot A4 in Virtual World ]
Thu 22 Jul 9 a.m. PDT — 11 a.m. PDT
Spotlight presentation: Privacy 2
Thu 22 Jul 7 a.m. PDT — 8 a.m. PDT


Membership inference is one of the simplest privacy threats faced by machine learning models that are trained on private sensitive data. In this attack, an adversary infers whether a particular point was used to train the model, or not, by observing the model's predictions. Whereas current attack methods all require access to the model's predicted confidence score, we introduce a label-only attack that instead evaluates the robustness of the model's predicted (hard) labels under perturbations of the input, to infer membership. Our label-only attack is not only as-effective as attacks requiring access to confidence scores, it also demonstrates that a class of defenses against membership inference, which we call ``confidence masking'' because they obfuscate the confidence scores to thwart attacks, are insufficient to prevent the leakage of private information. Our experiments show that training with differential privacy or strong L2 regularization are the only current defenses that meaningfully decrease leakage of private information, even for points that are outliers of the training distribution.

Chat is not available.