Awesome
Membership Inference Attacks and Defenses on Machine Learning Models Literature
A curated list of membership inference attacks and defenses papers on machine learning models.
Papers are sorted by their released dates in descending order.
This repository serves as a complement to the survey below.
Membership Inference Attacks on Machine Learning: A Survey (More than 100 papers reviewed).
@article{hu2022membership,
title={Membership inference attacks on machine learning: A survey},
author={Hu, Hongsheng and Salcic, Zoran and Sun, Lichao and Dobbie, Gillian and Yu, Philip S and Zhang, Xuyun},
journal={ACM Computing Surveys (CSUR)},
volume={54},
number={11s},
pages={1--37},
year={2022},
publisher={ACM New York, NY}
}
If you feel this repository is helpful, please cite the survey above.
How to Search?
Search keywords like conference name (e.g., CCS), adversarial knowledge (e.g., Black-box), or target model (e.g., Classification Model) over the webpage to quickly locate related papers.
Quick Links
Attack papers sorted by year: | 2024 |2023 |2022 |2021 | 2020 | 2019 | 2018 | 2017 |
Defense papers sorted by year: | 2023 |2022 | 2021 | 2020 | 2019 | 2018 |
Membership Inference Attack
Attack Papers 2024
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2024 | Do Parameters Reveal More than Loss for Membership Inference? | White-box | Classification Models | ICML Workshop | Link | Link |
| 2024 | Low-Cost High-Power Membership Inference Attacks | Black-box | Classification Models | ICML | Link | Link |
| 2024 | LLM Dataset Inference Did you train on my dataset? | Black-box | LLM | Arxiv | Link | Link |
| 2024 | Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought | Black-box | Recommender System | IJCAI | Link | Link |
| 2024 | Is My Data in Your Retrieval Database? Membership Inference Attacks Against Retrieval Augmented Generation | Black-box | Generative Models | Arxiv | Link | |
| 2024 | A Comprehensive Analysis of Factors Impacting Membership Inference | White-box; Black-box | Classification Models | CVPR workshop | Link | |
| 2024 | Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Better Membership Inference Privacy Measurement through Discrepancy | Black-box | Classification Models | Arxiv | Link | |
| 2024 | OSLO: One-Shot Label-Only Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Please Tell Me More: Privacy Impact of Explainability through the Lens of Membership Inference Attack | Black-box | Classification Models | S&P | Link | |
| 2024 | Is my Data in your AI Model? Membership Inference Test with Application to Face Images | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2024 | Understanding Practical Membership Privacy of Deep Learning | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Evaluating Membership Inference Attacks and Defenses in Federated Learning | White-box | Classification Models | Arxiv | Link | Link |
| 2024 | Uncertainty, Calibration, and Membership Inference Attacks: An Information-Theoretic Perspective | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Do Membership Inference Attacks Work on Large Language Models? | Black-box | LLM | Arxiv | Link | Link |
| 2024 | Learning-Based Difficulty Calibration for Enhanced Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | Link |
| 2024 | Scalable Membership Inference Attacks via Quantile Regression | Black-box | Classification Models | NeurIPS | Link | Link |
Attack Papers 2023
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2023 | Link Membership Inference Attacks against Unsupervised Graph Representation Learning | White-box/Black-box | Graph Embedding Models | ACSAC | Link | Link |
| 2023 | Low-Cost High-Power Membership Inference by Boosting Relativity | Black-box | Classification Models | Arxiv | Link | Link |
| 2023 | Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration | Black-box | Language Models | Arxiv | Link | |
| 2023 | A Probabilistic Fluctuation based Membership Inference Attack for Diffusion Models | Black-box | Generative Models | Arxiv | Link | |
| 2023 | Practical Membership Inference Attacks Against Large-Scale Multi-Modal Models: A Pilot Study | Black-box | Classification Models | ICCV | Link | Link |
| 2023 | Privacy Side Channels in Machine Learning Systems | Black-box | Classification Models | Arxiv | Link | |
| 2023 | White-box Membership Inference Attacks against Diffusion Models | White-box | Generative Models | Arxiv | Link | Link |
| 2023 | Scalable Membership Inference Attacks via Quantile Regression | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Synthetic is all you need: removing the auxiliary data assumption for membership inference attacks against synthetic data | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Towards More Realistic Membership Inference Attacks on Large Diffusion Models | Black-box | Generative Models | Arxiv | Link | |
| 2023 | Fortifying Federated Learning against Membership Inference Attacks via Client-level Input Perturbation | White-box | Classification Models | Arxiv | Link | |
| 2023 | Gaussian Membership Inference Privacy | White-box | Classification Models | NeurIPS | Link | Link |
| 2023 | TMI! Finetuned Models Leak Private Information from their Pretraining Data | Black-box | Classification Models | Arxiv | Link | |
| 2023 | SoK: Membership Inference is Harder Than Previously Thought | Black-box | Classification Models | Arxiv | Link | Link |
| 2023 | Re-aligning Shadow Models can Improve White-box Membership Inference Attacks | White-box | Classification Models | Arxiv | Link | |
| 2023 | Membership inference attack with relative decision boundary distance | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Membership Inference Attacks against Language Models via Neighbourhood Comparison | Black-box | Language Models | ACL | Link | Link & Link |
| 2023 | How to Combine Membership-Inference Attacks on Multiple Updated Machine Learning Models | Black-box | Classification Models | PoPETs | Link | Link |
| 2023 | AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning | White-box | Classification Models | WWW | Link | Link |
| 2023 | Membership Inference Attacks Against Sequential Recommender Systems | Black-box | Recommender System | WWW | Link | |
| 2023 | A Blessing of Dimensionality in Membership Inference through Regularization | Black-box | Classification Models | AISTATS | Link | Link |
| 2023 | Active Membership Inference Attack under Local Differential Privacy in Federated Learning | White-box | Classification Models | AISTATS | Link | Link |
| 2023 | Membership Inference Attacks against Synthetic Data through Overfitting Detection | Black-box | Generative models | AISTATS | Link | Link |
| 2023 | Students Parrot Their Teachers: Membership Inference on Model Distillation | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Membership Inference Attacks against Diffusion Models | White-box; Black-box | Generative Models | Arxiv | Link | |
| 2023 | Interaction-level Membership Inference Attack Against Federated Recommender Systems | White-box | Recommender System | WWW | Link | |
| 2023 | Are Diffusion Models Vulnerable to Membership Inference Attacks? | Black-box | Generative Models | Arxiv | Link | |
| 2023 | Accuracy-Privacy Trade-off in Deep Ensemble: A Membership Inference Perspective | Black-box | Classification Models | S&P | Link | Link |
| 2023 | Membership Inference of Diffusion Models | Black-box | Generative Models | Arxiv | Link | |
| 2023 | MiDA: Membership inference attacks against domain adaptation | Black-box | Classification Models | ISA Transactions | Link |
Attack Papers 2022
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2022 | On the Discredibility of Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Membership Inference Attacks Against Semantic Segmentation Models | Black-box | Semantic Segmentation Models | Arxiv | Link | Link |
| 2022 | Similarity Distribution based Membership Inference Attack on Person Re-identification | Black-box | Person Re-identification | AAAI | Link | |
| 2022 | Amplifying Membership Exposure via Data Poisoning | Black-box | Classification Models | NeurIPS | Link | Link |
| 2022 | Canary in a Coalmine: Better Membership Inference with Ensembled Adversarial Queries | Black-box | Classification Models | Arxiv | Link | Link |
| 2022 | Membership Inference Attacks Against Text-to-image Generation Models | Black-box | Text-to-image Models | Arxiv | Link | |
| 2022 | Membership Inference Attacks Against Robust Graph Neural Network | Black-box | Classification Models | CSS | Link | |
| 2022 | No-Label User-Level Membership Inference for ASR Model Auditing | Balck-box | Automatic Speech Recognition Model | ESORICS | Link | |
| 2022 | Membership Inference Attacks and Generalization: A Causal Perspective | Black-box; White-box | Classification Models | CCS | Link | |
| 2022 | M^4I: Multi-modal Models Membership Inference | Black-box | Multi-modal Models | NeurIPS | Link | Link |
| 2022 | Membership Inference Attacks by Exploiting Loss Trajectory | Black-box | Classification Models | CCS | Link | Link |
| 2022 | Auditing Membership Leakages of Multi-Exit Networks | White-box; Black-box | Classification Models | CCS | Link | Link |
| 2022 | Label-Only Membership Inference Attack against Node-Level Graph Neural Networks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Membership-Doctor: Comprehensive Assessment of Membership Inference Against Machine Learning Models | Black-box | Classification Models | Arxiv | Link | |
| 2022 | On the Privacy Effect of Data Enhancement via the Lens of Memorization | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Membership Inference Attacks via Adversarial Examples | White-box | Classification Models | Arxiv | Link | |
| 2022 | Label-Only Membership Inference Attack against Node-Level Graph Neural Networks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Semi-Leak: Membership Inference Attacks Against Semi-supervised Learning | Black-box | Semi-supervised Learning Models | ECCV | Link | Link |
| 2022 | Debiasing Learning for Membership Inference Attacks Against Recommender Systems | Black-box | Recommender System | KDD | Link | |
| 2022 | Membership Inference via Backdooring | Black-box | Classification Models | IJCAI | Link | Link |
| 2022 | Membership Inference Attacks Against Machine Learning Models via Prediction Sensitivity | Black-box | Classification Models | IEEE Trans Dependable Secure Comput | Link | Link |
| 2022 | Subject Membership Inference Attacks in Federated Learning | White-box | Classification Models | Arxiv | Link | |
| 2022 | Membership Feature Disentanglement Network | White-box | Classification Models | ASIA CCS | Link | |
| 2022 | Understanding Disparate Effects of Membership Inference Attacks and their Countermeasures | Black-box | Classification Models | ASIA CCS | Link | |
| 2022 | l-Leaks:Membership Inference Attacks with Logits | Black-box | Classification Models | Arxiv | Link | |
| 2022 | CS-MIA: Membership inference attack based on prediction confidence series in federated learning | White-box | Classification Models | J. Inf. Secur. Appl | Link | |
| 2022 | Evaluating Membership Inference Through Adversarial Robustnes | White-box | Classfication Models | The Computer Journal | Link | Link |
| 2022 | How to Combine Membership-Inference Attacks on Multiple Updated Models | Black-box | Classification Models | Arxiv | Link | Link |
| 2022 | An Efficient Subpopulation-based Membership Inference Attack | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Assessing the Impact of Membership Inference Attacks on Classical Machine Learning Algorithms | Black-box | Classification Models | DRCN | Link | Link |
| 2022 | Optimal Membership Inference Bounds for Adaptive Composition of Sampled Gaussian Mechanisms | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2022 | Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning | White-box | Classification Models | Arxiv | Link | Link |
| 2022 | Leveraging Adversarial Examples to Quantify Membership Information Leakage | White-box; Black-box | Classification Models | CVPR | Link | Link |
| 2022 | Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks | Black-box | Masked Language Models | Arxiv | Link | |
| 2022 | User-Level Membership Inference Attack against Metric Embedding Learning | Black-box | Metric Embedding Models | Arxiv | Link | |
| 2022 | Label-Only Membership Inference Attacks and Defenses In Semantic Segmentation Models | Black-box | Segmentation Models | IEEE Trans Dependable Secure Comput | Link | |
| 2022 | Membership Inference Attacks and Defenses in Neural Network Pruning | Black-box | Classification Models | USENIX Security | Link | Link |
| 2022 | Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference | Black-box | Regression Models | Arxiv | Link | |
| 2022 | LTU Attacker for Membership Inference | White-box; Black-box | Classification Models | AAAI Workshop | Link | Link |
Attack Papers 2021
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2021 | Membership Inference Attacks From First Principles | White-box; Black-box | Classification Models | S&P | Link | Link |
| 2021 | SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning | Black-box | Classification Models | Arxiv | Link | |
| 2021 | Enhanced Membership Inference Attacks against Machine Learning Models | Black-box | Classification Models | Arxiv | Link | Link |
| 2021 | Do Not Trust Prediction Scores for Membership Inference Attacks | Black-box | Classification Models | IJCAI | Link | Link |
| 2021 | On the Importance of Difficulty Calibration in Membership Inference Attacks | White-box | Classification Models | Arxiv | Link | |
| 2021 | Membership Inference Attacks against GANs by Leveraging Over-representation Regions | White-box | Generative Models | CCS | Link | |
| 2021 | Membership Inference Attacks Against Recommender Systems | Black-box | Recommender Systems | CCS | Link | Link |
| 2021 | Source Inference Attacks in Federated Learning | Black-box | Classifcation Models | ICDM | Link | Link |
| 2021 | Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and Implications | Black-box | Classification Models | ICDM | Link | Link |
| 2021 | On The Vulnerability of Recurrent Neural Networks to Membership Inference Attacks | Black-box | Text Generation Models | Arxiv | Link | Link |
| 2021 | On the Difficulty of Membership Inference Attacks | White-box | Classification Models | CVPR | Link | Link |
| 2021 | Quantifying Privacy Leakage in Graph Embedding | White-box; Black-box | Graph Embedding Models | NeurIPS Workshop | Link | Link |
| 2021 | Label-only membership inference attacks | Black-box | Classification Models | ICML | Link | Link |
| 2021 | On the Privacy Risks of Model Explanations | Black-box | Classification Models | AIES | Link | |
| 2021 | Systematic evaluation of privacy risks of machine learning models | White-box; Black-box | Classification Models | USENIX Security | Link | Link |
| 2021 | Practical blind membership inference attack via differential comparisons | Black-box | Classification Models | NDSS | Link | Link |
| 2021 | On the (In) Feasibility of Attribute Inference Attacks on Machine Learning Models | White-box; Black-box | Classification Models | EuroS&P | Link | |
| 2021 | Bounding Information Leakage in Machine Learning | White-box | Classification Models | Arxiv | Link | |
| 2021 | How Does Data Augmentation Affect Privacy in Machine Learning? | Black-box | Classification Models | AAAI | Link | Link |
| 2021 | Node-Level Membership Inference Attacks Against Graph Neural Networks | Black-box | Classification Models | Arxiv | Link | |
| 2021 | The Audio Auditor: User-Level Membership Inference in Internet of Things Voice Services | Black-box | Automatic Speech Recognition Model | PoPETs | Link | |
| 2021 | Reconstruction-Based Membership Inference Attacks are Easier on Difficult Problems | Black-box | Image Translation Models; Image Segmentation Models | ICCV | Link | Link |
| 2021 | This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces | Black-box | Generative Models | Arxiv | link | |
| 2021 | Membership Inference Attack Susceptibility of Clinical Language Models | White-box; Black-box | Clinical Language Models | Arxiv | Link | |
| 2021 | Killing four birds with one Gaussian process: the relation between different test-time attacks | Black-box | Classification Models | ICPR | Link | |
| 2021 | Evaluating the Vulnerability of End-to-End Automatic Speech Recognition Models To Membership Inference Attacks | Black-box | Speech Recognition Models | Interspeech | Link | |
| 2021 | Membership Inference Attacks on Knowledge Graphs | Black-box | Knowledge Graph Embedding Models | Arxiv | Link | |
| 2021 | Membership Leakage in Label-Only Exposures | Black-box | Classification Models | CCS | Link | |
| 2021 | Membership inference attack on graph neural networks | Black-box | Classification Models | Arxiv | Link | |
| 2021 | Membership Inference Attacks on Deep Regression Models for Neuroimaging | Black-box | Regression Models | MIDL | Link | |
| 2021 | Membership Inference Attacks on Lottery Ticket Networks | Black-box | Classification Models | ICML Workshop | Link | |
| 2021 | Membership Inference on Word Embedding and Beyond | Black-box | Word Embedding Models | Arxiv | Link | |
| 2021 | EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning | Black-box | Image Encoder Models | CCS | Link |
Attack Papers 2020 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2020 | GECKO: Reconciling Privacy, Accuracy and Efficiency in Embedded Deep Learning | Black-box | Classification Models | NeurIPS Workshop | Link | |
| 2020 | Gan-leaks: A taxonomy of membership inference attacks against generative models | White-box; Black-box | Generative Models | CCS | Link | Link |
| 2020 | Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference | White-box | Classification Models | USENIX Security | Link | |
| 2020 | Information leakage in embedding models | Black-box | Text Embedding Models | CCS | Link | |
| 2020 | When machine unlearning jeopardizes privacy | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Revisiting membership inference under realistic assumptions | Black-box | Classification Models | PoPETs | Link | Link |
| 2020 | Membership inference attacks on sequence-to-sequence models: Is my data in your machine translation system? | Black-box | Text Generation Models | TACL | Link | Link |
| 2020 | Segmentations-leak: Membership inference attacks and defenses in semantic image segmentation | Black-box | Image Segmentation Models | ECCV | Link | Link |
| 2020 | Performing co-membership attacks against deep generative models | White-box | Generative Models | ICDM | Link | |
| 2020 | On the privacy risks of algorithmic fairness | Black-box | Classification Models | EuroS&P | Link | |
| 2020 | A Comprehensive Analysis of Information Leakage in Deep Transfer Learning | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Gan enhanced membership inference: A passive local attack in federated learning | White-box | Classification Models | ICC | Link | |
| 2020 | Privacy analysis of deep learning in the wild: Membership inference attacks against transfer learning | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Data and model dependencies of membership inference attack | Black-box | Classification Models | Arxiv | Link | |
| 2020 | A Pragmatic Approach to Membership Inferences on Machine Learning Models | Black-box | Classification Models | EuroS&P | Link | |
| 2020 | Quantifying Membership Inference Vulnerability via Generalization Gap and Other Model Metrics | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Investigating the Impact of Pre-trained Word Embeddings on Memorization in Neural Networks | Black-box | Word Embedding Models | TSD | Link | |
| 2020 | Beyond Model-Level Membership Privacy Leakage: an Adversarial Approach in Federated Learning | White-box | Classification Models | ICCCN | Link | |
| 2020 | Practical Membership Inference Attack Against Collaborative Inference in Industrial IoT | White-box | Classification Models | IEEE Trans. Industr. Inform. | Link |
Attack Papers 2019 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2019 | Exploiting unintended feature leakage in collaborative learning | White-box | Classification Models | S&P | Link | Link |
| 2019 | Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning | Black-box; White-box | Classification Models | S&P | link | Link |
| 2019 | ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models | Black-box | Classification Models | NDSS | Link | Link |
| 2019 | LOGAN: Membership Inference Attacks Against Generative Models | Black-box; White-box | Generative Models | PoPETs | Link | Link |
| 2019 | White-box vs Black-box: Bayes Optimal Strategies for Membership Inference | Black-box | Classification Models | ICML | Link | |
| 2019 | Auditing data provenance in text-generation models | Black-box | Text Generation Models | KDD | Link | Link |
| 2019 | Socinf: Membership inference attacks on social media health data with machine learning | Black-box | Classification Models | IEEE Trans. Comput. Soc. Syst. | Link | |
| 2019 | Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. | White-box; Black-box | Generative Models | PoPETs | Link | Link |
| 2019 | Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning | Black-box | Classification Models | Arxiv | Link | |
| 2019 | Demystifying the membership inference attack | Black-box | Classification Models | CMI | Link | |
| 2019 | Differential Privacy Defenses and Sampling Attacks for Membership Inference | Black-box | Classification Models | NeurIPS Workshop | Link | |
| 2019 | Privacy Risks of Securing Machine Learning Models against Adversarial Examples | Black-box | Classification Models | CCS | Link | Link |
| 2019 | Membership Inference Attacks against Adversarially Robust Deep Learning Models | Black-box | Classification Models | S&P Workshop | Link | |
| 2019 | Demystifying Membership Inference Attacks in Machine Learning as a Service | Black-box | Classification Models | IEEE Trans. Serv. Comput. | Link |
Attack Papers 2018 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2018 | Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting | Black-box | Classification Models | CSF | Link | Link |
| 2018 | Understanding membership inferences on well-generalized learning models | Black-box | Classification Models | Arxiv | link |
Attack Papers 2017 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2017 | Membership inference attacks against machine learning models | Black-box | Classification Models | S&P | link | Link |
Membership Inference Defense
Defense Papers 2023 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2023 | Mitigating Membership Inference Attacks via Weighted Smoothing | Black-box | Classification Models | ACSAC | Link | Link |
| 2023 | MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction | Black-box | Classification Models | NDSS | Link | Link |
| 2023 | LoDen: Making Every Client in Federated Learning a Defender Against the Poisoning Membership Inference Attacks | White-box; Black-box | Classification Models | Asia CCS | Link | Link |
Defense Papers 2022 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2022 | Defense against membership inference attack in graph neural networks through graph perturbation | White-box | Graph Embedding Models | Int. J. Inf. Secur. | Link | |
| 2022 | Provable Membership Inference Privacy | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2022 | Repeated Knowledge Distillation with Confidence Masking to Mitigate Membership Inference Attacks | White-box; Black-box | Classification Models | AISec | Link | |
| 2022 | NeuGuard: Lightweight Neuron-Guided Defense against Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Defending against Membership Inference Attacks with High Utility by GAN | White-box; Black-box | Classification Models | TDSC | Link | |
| 2022 | RelaxLoss: Defending Membership Inference Attacks without Losing Utility | White-box; Black-box | Classification Models | ICLR | Link | Link |
| 2022 | Assessing Differentially Private Variational Autoencoders under Membership Inference | Black-box | Generative Models | Arxiv | Link | Link |
| 2022 | Membership Privacy Protection for Image Translation Models via Adversarial Knowledge Distillation | Black-box | Image Translation Models | Arxiv | Link | |
| 2022 | MIAShield: Defending Membership Inference Attacks via Preemptive Exclusion of Members | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Privacy-preserving Generative Framework Against Membership Inference Attacks | White-box; Black-box | Classification Models | Arxiv | Link |
Defense Papers 2021 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2021 | Enhanced Mixup Training: a Defense Method Against Membership Inference Attack | Black-box | Classification Models | ISPEC | Link | |
| 2021 | Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2021 | On the privacy-utility trade-off in differentially private hierarchical text classification | White-box | Classification Models | Arxiv | Link | |
| 2021 | MLCapsule: Guarded Offline Deployment of Machine Learning as a Service | Black-box | Classification Models | CVPR | Link | |
| 2021 | Comparing Local and Central Differential Privacy Using Membership Inference Attacks | White-box | Classification Models | DBSec | Link | Link |
| 2021 | Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning | White-box | Classification Models | S&P | Link | |
| 2021 | When Does Data Augmentation Help With Membership Inference Attacks? | Black-box | Classification Models | ICML | Link | Link |
| 2021 | Against Membership Inference Attack: Pruning is All You Need | Black-box | Classification Models | IJCAI | Link | |
| 2021 | Membership Privacy for Machine Learning Models Through Knowledge Transfer | White-box; Black-box | Classification Models | AAAI | Link | |
| 2021 | Quantifying Membership Privacy via Information Leakage | Black-box | Classification Models | IEEE Trans. Inf. Forensics Secur. | Link | |
| 2021 | Membership Inference Attacks and Defenses in Classification Models | Black-box | Classification Models | CODASPY | Link | |
| 2021 | Digestive Neural Networks: A Novel Defense Strategy Against Inference Attacks in Federated Learning | White-box | Classification Models | Computers & Security | Link | |
| 2021 | Resisting Membership Inference Attacks through Knowledge Distillation | Black-box | Classification Models | Neurocomputing | Link | |
| 2021 | privGAN: Protecting GANs from membership inference attacks at low cost to utility | White-box | Generative Models | PoPETs | Link | |
| 2021 | Generating Private Data Surrogates for Vision Related Tasks | White-box | Generative Models | ICPR | Link | |
| 2021 | Membership Inference Attack with Multi-Grade Service Models in Edge Intelligence | Black-box | Classification Models | IEEE Network | Link | |
| 2021 | PAR-GAN: Improving the Generalization of Generative Adversarial Networks Against Membership Inference Attacks | White-box | Generative Models | KDD | Link | Link |
| 2021 | Defending Medical Image Diagnostics against Privacy Attacks using Generative Methods: Application to Retinal Diagnostics | Black-box | Classification Models | MICCAI Workshop | Link | |
| 2021 | Defending Privacy Against More Knowledgeable Membership Inference Attackers | White-box; Black-box | Classification Models | KDD | Link | Link |
Defense Papers 2020 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2020 | Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Differential Privacy Protection Against Membership Inference Attack on Machine Learning for Genomic Data | Black-box | Classification Models | Biocomputing | Link | |
| 2020 | A Secure Federated Learning Framework for 5G Networks | White-box | Classification Models | IEEE Wireless Communications | Link | |
| 2020 | Auditing Differentially Private Machine Learning: How Private is Private SGD? | Black-box | Classification Models | NeurIPS | Link | Link |
| 2020 | Toward Robustness and Privacy in Federated Learning: Experimenting with Local and Central Differential Privacy | White-box | Classification Models | Arxiv | Link | |
| 2020 | Defending Model Inversion and Membership Inference Attacks via Prediction Purification | Black-box | Classification | Arxiv | Link | |
| 2020 | Alleviating Privacy Attacks via Causal Learning | Black-box | Classification Models | ICML | Link | Link |
| 2020 | On the Effectiveness of Regularization Against Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Characterizing Membership Privacy in Stochastic Gradient Langevin Dynamics | Black-box | Classification Models | AAAI | Link | |
| 2020 | Differentially Private Learning Does Not Bound Membership Inference | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Privacy-Preserving in Defending against Membership Inference Attacks | Black-box | Classification Models | PPMLP | Link |
Defense Papers 2019 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2019 | Evaluating Differentially Private Machine Learning in Practice | Black-box | Classification Models | USENIX Security | Link | Link |
| 2019 | MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples | Black-box | Classification Models | CCS | Link | Link |
| 2019 | Generalization in Generative Adversarial Networks: A Novel Perspective from Privacy Protection | White-box; Black-box | Generative Models | NeurIPS | Link | |
| 2019 | Cronus: Robust and Heterogeneous Collaborative Learning with Black-Box Knowledge Transfer | Black-box | Classification Models | Arxiv | Link | |
| 2019 | ML Defense: Against Prediction API Threats in Cloud-Based Machine Learning Service | Black-box | Classification Models | IWQoS | Link | |
| 2019 | Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability | Black-box | Classification Models | TPS-ISA | Link | |
| 2019 | Generating Artificial Data for Private Deep Learning | Black-box | Generative Models | PAL | Link |
Defense Papers 2018 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2018 | Machine Learning with Membership Privacy using Adversarial Regularization | Black-box | Classification Models | CCS | Link | Link |
| 2018 | Privacy-preserving Machine Learning through Data Obfuscation | Black-box | Classification Models | Arxiv | Link | |
| 2018 | Differentially Private Data Generative Models | Black-box | Classification Models | Arxiv | Link | |
| 2018 | Membership Inference Attack against Differentially Private Deep Learning Model | Black-box | Classification Models | Transactions on Data Privacy | Link |