Awesome
Membership Inference Attacks and Defenses on Machine Learning Models Literature
A curated list of membership inference attacks and defenses papers on machine learning models.
Papers are sorted by their released dates in descending order.
This repository serves as a complement to the survey below.
Membership Inference Attacks on Machine Learning: A Survey (More than 100 papers reviewed).
@article{hu2022membership,
title={Membership inference attacks on machine learning: A survey},
author={Hu, Hongsheng and Salcic, Zoran and Sun, Lichao and Dobbie, Gillian and Yu, Philip S and Zhang, Xuyun},
journal={ACM Computing Surveys (CSUR)},
volume={54},
number={11s},
pages={1--37},
year={2022},
publisher={ACM New York, NY}
}
If you feel this repository is helpful, please cite the survey above.
How to Search?
Search keywords like conference name (e.g., CCS), adversarial knowledge (e.g., Black-box), or target model (e.g., Classification Model) over the webpage to quickly locate related papers. Because we are in the age of generative AI, we highlight the target model of Large Language Model (LLM).
Quick Links
Attack papers sorted by year: | 2024 |2023 |2022 |2021 | 2020 | 2019 | 2018 | 2017 |
Defense papers sorted by year: | 2023 |2022 | 2021 | 2020 | 2019 | 2018 |
Membership Inference Attack
Attack Papers 2024
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2024 | Noisy Neighbors: Efficient membership inference attacks against LLMs | Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | |
| 2024 | SoK: Membership Inference Attacks on LLMs are Rushing Nowhere (and How to Fix It) | White-box; Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | Link |
| 2024 | ReCaLL: Membership Inference via Relative Conditional Log-Likelihoods | Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | |
| 2024 | Blind Baselines Beat Membership Inference Attacks for Foundation Models | No Access | :sparkles: LLM :sparkles: | Arxiv | Link | |
| 2024 | Generating Is Believing: Membership Inference Attacks against Retrieval-Augmented Generation | Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | |
| 2024 | Semantic Membership Inference Attack against Large Language Models | Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | |
| 2024 | GCL-Leak: Link Membership Inference Attacks against Graph Contrastive Learning | White-box | Graph Contrastive Learning | PoPETs | Link | Link |
| 2024 | Unveiling the Unseen: Exploring Whitebox Membership Inference through the Lens of Explainability | White-box | Classification Models | Arxiv | Link | |
| 2024 | Do Parameters Reveal More than Loss for Membership Inference? | White-box | Classification Models | ICML Workshop | Link | Link |
| 2024 | Low-Cost High-Power Membership Inference Attacks | Black-box | Classification Models | ICML | Link | Link |
| 2024 | LLM Dataset Inference Did you train on my dataset? | Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | Link |
| 2024 | Shadow-Free Membership Inference Attacks: Recommender Systems Are More Vulnerable Than You Thought | Black-box | Recommender System | IJCAI | Link | Link |
| 2024 | Is My Data in Your Retrieval Database? Membership Inference Attacks Against Retrieval Augmented Generation | Black-box | Generative Models | Arxiv | Link | |
| 2024 | A Comprehensive Analysis of Factors Impacting Membership Inference | White-box; Black-box | Classification Models | CVPR workshop | Link | |
| 2024 | Lost in the Averages: A New Specific Setup to Evaluate Membership Inference Attacks Against Machine Learning Models | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Better Membership Inference Privacy Measurement through Discrepancy | Black-box | Classification Models | Arxiv | Link | |
| 2024 | OSLO: One-Shot Label-Only Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Please Tell Me More: Privacy Impact of Explainability through the Lens of Membership Inference Attack | Black-box | Classification Models | S&P | Link | |
| 2024 | Is my Data in your AI Model? Membership Inference Test with Application to Face Images | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2024 | Understanding Practical Membership Privacy of Deep Learning | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Evaluating Membership Inference Attacks and Defenses in Federated Learning | White-box | Classification Models | Arxiv | Link | Link |
| 2024 | Uncertainty, Calibration, and Membership Inference Attacks: An Information-Theoretic Perspective | Black-box | Classification Models | Arxiv | Link | |
| 2024 | Do Membership Inference Attacks Work on Large Language Models? | Black-box | :sparkles: LLM :sparkles: | Arxiv | Link | Link |
| 2024 | Learning-Based Difficulty Calibration for Enhanced Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | Link |
| 2024 | Scalable Membership Inference Attacks via Quantile Regression | Black-box | Classification Models | NeurIPS | Link | Link |
Attack Papers 2023
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2023 | Link Membership Inference Attacks against Unsupervised Graph Representation Learning | White-box/Black-box | Graph Embedding Models | ACSAC | Link | Link |
| 2023 | Low-Cost High-Power Membership Inference by Boosting Relativity | Black-box | Classification Models | Arxiv | Link | Link |
| 2023 | Practical Membership Inference Attacks against Fine-tuned Large Language Models via Self-prompt Calibration | Black-box | Language Models | Arxiv | Link | |
| 2023 | A Probabilistic Fluctuation based Membership Inference Attack for Diffusion Models | Black-box | Generative Models | Arxiv | Link | |
| 2023 | Practical Membership Inference Attacks Against Large-Scale Multi-Modal Models: A Pilot Study | Black-box | Classification Models | ICCV | Link | Link |
| 2023 | Privacy Side Channels in Machine Learning Systems | Black-box | Classification Models | Arxiv | Link | |
| 2023 | White-box Membership Inference Attacks against Diffusion Models | White-box | Generative Models | Arxiv | Link | Link |
| 2023 | Scalable Membership Inference Attacks via Quantile Regression | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Synthetic is all you need: removing the auxiliary data assumption for membership inference attacks against synthetic data | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Towards More Realistic Membership Inference Attacks on Large Diffusion Models | Black-box | Generative Models | Arxiv | Link | |
| 2023 | Fortifying Federated Learning against Membership Inference Attacks via Client-level Input Perturbation | White-box | Classification Models | Arxiv | Link | |
| 2023 | Gaussian Membership Inference Privacy | White-box | Classification Models | NeurIPS | Link | Link |
| 2023 | TMI! Finetuned Models Leak Private Information from their Pretraining Data | Black-box | Classification Models | Arxiv | Link | |
| 2023 | SoK: Membership Inference is Harder Than Previously Thought | Black-box | Classification Models | Arxiv | Link | Link |
| 2023 | Re-aligning Shadow Models can Improve White-box Membership Inference Attacks | White-box | Classification Models | Arxiv | Link | |
| 2023 | Membership inference attack with relative decision boundary distance | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Membership Inference Attacks against Language Models via Neighbourhood Comparison | Black-box | Language Models | ACL | Link | Link & Link |
| 2023 | How to Combine Membership-Inference Attacks on Multiple Updated Machine Learning Models | Black-box | Classification Models | PoPETs | Link | Link |
| 2023 | AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning | White-box | Classification Models | WWW | Link | Link |
| 2023 | Membership Inference Attacks Against Sequential Recommender Systems | Black-box | Recommender System | WWW | Link | |
| 2023 | A Blessing of Dimensionality in Membership Inference through Regularization | Black-box | Classification Models | AISTATS | Link | Link |
| 2023 | Active Membership Inference Attack under Local Differential Privacy in Federated Learning | White-box | Classification Models | AISTATS | Link | Link |
| 2023 | Membership Inference Attacks against Synthetic Data through Overfitting Detection | Black-box | Generative models | AISTATS | Link | Link |
| 2023 | Students Parrot Their Teachers: Membership Inference on Model Distillation | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Membership Inference Attacks against Diffusion Models | White-box; Black-box | Generative Models | Arxiv | Link | |
| 2023 | Interaction-level Membership Inference Attack Against Federated Recommender Systems | White-box | Recommender System | WWW | Link | |
| 2023 | Are Diffusion Models Vulnerable to Membership Inference Attacks? | Black-box | Generative Models | Arxiv | Link | |
| 2023 | Accuracy-Privacy Trade-off in Deep Ensemble: A Membership Inference Perspective | Black-box | Classification Models | S&P | Link | Link |
| 2023 | Membership Inference of Diffusion Models | Black-box | Generative Models | Arxiv | Link | |
| 2023 | MiDA: Membership inference attacks against domain adaptation | Black-box | Classification Models | ISA Transactions | Link |
Attack Papers 2022
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2022 | On the Discredibility of Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Membership Inference Attacks Against Semantic Segmentation Models | Black-box | Semantic Segmentation Models | Arxiv | Link | Link |
| 2022 | Similarity Distribution based Membership Inference Attack on Person Re-identification | Black-box | Person Re-identification | AAAI | Link | |
| 2022 | Amplifying Membership Exposure via Data Poisoning | Black-box | Classification Models | NeurIPS | Link | Link |
| 2022 | Canary in a Coalmine: Better Membership Inference with Ensembled Adversarial Queries | Black-box | Classification Models | Arxiv | Link | Link |
| 2022 | Membership Inference Attacks Against Text-to-image Generation Models | Black-box | Text-to-image Models | Arxiv | Link | |
| 2022 | Membership Inference Attacks Against Robust Graph Neural Network | Black-box | Classification Models | CSS | Link | |
| 2022 | No-Label User-Level Membership Inference for ASR Model Auditing | Balck-box | Automatic Speech Recognition Model | ESORICS | Link | |
| 2022 | Membership Inference Attacks and Generalization: A Causal Perspective | Black-box; White-box | Classification Models | CCS | Link | |
| 2022 | M^4I: Multi-modal Models Membership Inference | Black-box | Multi-modal Models | NeurIPS | Link | Link |
| 2022 | Membership Inference Attacks by Exploiting Loss Trajectory | Black-box | Classification Models | CCS | Link | Link |
| 2022 | Auditing Membership Leakages of Multi-Exit Networks | White-box; Black-box | Classification Models | CCS | Link | Link |
| 2022 | Label-Only Membership Inference Attack against Node-Level Graph Neural Networks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Membership-Doctor: Comprehensive Assessment of Membership Inference Against Machine Learning Models | Black-box | Classification Models | Arxiv | Link | |
| 2022 | On the Privacy Effect of Data Enhancement via the Lens of Memorization | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Membership Inference Attacks via Adversarial Examples | White-box | Classification Models | Arxiv | Link | |
| 2022 | Label-Only Membership Inference Attack against Node-Level Graph Neural Networks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Semi-Leak: Membership Inference Attacks Against Semi-supervised Learning | Black-box | Semi-supervised Learning Models | ECCV | Link | Link |
| 2022 | Debiasing Learning for Membership Inference Attacks Against Recommender Systems | Black-box | Recommender System | KDD | Link | |
| 2022 | Membership Inference via Backdooring | Black-box | Classification Models | IJCAI | Link | Link |
| 2022 | Membership Inference Attacks Against Machine Learning Models via Prediction Sensitivity | Black-box | Classification Models | IEEE Trans Dependable Secure Comput | Link | Link |
| 2022 | Subject Membership Inference Attacks in Federated Learning | White-box | Classification Models | Arxiv | Link | |
| 2022 | Membership Feature Disentanglement Network | White-box | Classification Models | ASIA CCS | Link | |
| 2022 | Understanding Disparate Effects of Membership Inference Attacks and their Countermeasures | Black-box | Classification Models | ASIA CCS | Link | |
| 2022 | l-Leaks:Membership Inference Attacks with Logits | Black-box | Classification Models | Arxiv | Link | |
| 2022 | CS-MIA: Membership inference attack based on prediction confidence series in federated learning | White-box | Classification Models | J. Inf. Secur. Appl | Link | |
| 2022 | Evaluating Membership Inference Through Adversarial Robustnes | White-box | Classfication Models | The Computer Journal | Link | Link |
| 2022 | How to Combine Membership-Inference Attacks on Multiple Updated Models | Black-box | Classification Models | Arxiv | Link | Link |
| 2022 | An Efficient Subpopulation-based Membership Inference Attack | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Assessing the Impact of Membership Inference Attacks on Classical Machine Learning Algorithms | Black-box | Classification Models | DRCN | Link | Link |
| 2022 | Optimal Membership Inference Bounds for Adaptive Composition of Sampled Gaussian Mechanisms | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2022 | Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning | White-box | Classification Models | Arxiv | Link | Link |
| 2022 | Leveraging Adversarial Examples to Quantify Membership Information Leakage | White-box; Black-box | Classification Models | CVPR | Link | Link |
| 2022 | Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks | Black-box | Masked Language Models | Arxiv | Link | |
| 2022 | User-Level Membership Inference Attack against Metric Embedding Learning | Black-box | Metric Embedding Models | Arxiv | Link | |
| 2022 | Label-Only Membership Inference Attacks and Defenses In Semantic Segmentation Models | Black-box | Segmentation Models | IEEE Trans Dependable Secure Comput | Link | |
| 2022 | Membership Inference Attacks and Defenses in Neural Network Pruning | Black-box | Classification Models | USENIX Security | Link | Link |
| 2022 | Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference | Black-box | Regression Models | Arxiv | Link | |
| 2022 | LTU Attacker for Membership Inference | White-box; Black-box | Classification Models | AAAI Workshop | Link | Link |
Attack Papers 2021
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2021 | Membership Inference Attacks From First Principles | White-box; Black-box | Classification Models | S&P | Link | Link |
| 2021 | SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning | Black-box | Classification Models | Arxiv | Link | |
| 2021 | Enhanced Membership Inference Attacks against Machine Learning Models | Black-box | Classification Models | Arxiv | Link | Link |
| 2021 | Do Not Trust Prediction Scores for Membership Inference Attacks | Black-box | Classification Models | IJCAI | Link | Link |
| 2021 | On the Importance of Difficulty Calibration in Membership Inference Attacks | White-box | Classification Models | Arxiv | Link | |
| 2021 | Membership Inference Attacks against GANs by Leveraging Over-representation Regions | White-box | Generative Models | CCS | Link | |
| 2021 | Membership Inference Attacks Against Recommender Systems | Black-box | Recommender Systems | CCS | Link | Link |
| 2021 | Source Inference Attacks in Federated Learning | Black-box | Classifcation Models | ICDM | Link | Link |
| 2021 | Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and Implications | Black-box | Classification Models | ICDM | Link | Link |
| 2021 | On The Vulnerability of Recurrent Neural Networks to Membership Inference Attacks | Black-box | Text Generation Models | Arxiv | Link | Link |
| 2021 | On the Difficulty of Membership Inference Attacks | White-box | Classification Models | CVPR | Link | Link |
| 2021 | Quantifying Privacy Leakage in Graph Embedding | White-box; Black-box | Graph Embedding Models | NeurIPS Workshop | Link | Link |
| 2021 | Label-only membership inference attacks | Black-box | Classification Models | ICML | Link | Link |
| 2021 | On the Privacy Risks of Model Explanations | Black-box | Classification Models | AIES | Link | |
| 2021 | Systematic evaluation of privacy risks of machine learning models | White-box; Black-box | Classification Models | USENIX Security | Link | Link |
| 2021 | Practical blind membership inference attack via differential comparisons | Black-box | Classification Models | NDSS | Link | Link |
| 2021 | On the (In) Feasibility of Attribute Inference Attacks on Machine Learning Models | White-box; Black-box | Classification Models | EuroS&P | Link | |
| 2021 | Bounding Information Leakage in Machine Learning | White-box | Classification Models | Arxiv | Link | |
| 2021 | How Does Data Augmentation Affect Privacy in Machine Learning? | Black-box | Classification Models | AAAI | Link | Link |
| 2021 | Node-Level Membership Inference Attacks Against Graph Neural Networks | Black-box | Classification Models | Arxiv | Link | |
| 2021 | The Audio Auditor: User-Level Membership Inference in Internet of Things Voice Services | Black-box | Automatic Speech Recognition Model | PoPETs | Link | |
| 2021 | Reconstruction-Based Membership Inference Attacks are Easier on Difficult Problems | Black-box | Image Translation Models; Image Segmentation Models | ICCV | Link | Link |
| 2021 | This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces | Black-box | Generative Models | Arxiv | link | |
| 2021 | Membership Inference Attack Susceptibility of Clinical Language Models | White-box; Black-box | Clinical Language Models | Arxiv | Link | |
| 2021 | Killing four birds with one Gaussian process: the relation between different test-time attacks | Black-box | Classification Models | ICPR | Link | |
| 2021 | Evaluating the Vulnerability of End-to-End Automatic Speech Recognition Models To Membership Inference Attacks | Black-box | Speech Recognition Models | Interspeech | Link | |
| 2021 | Membership Inference Attacks on Knowledge Graphs | Black-box | Knowledge Graph Embedding Models | Arxiv | Link | |
| 2021 | Membership Leakage in Label-Only Exposures | Black-box | Classification Models | CCS | Link | |
| 2021 | Membership inference attack on graph neural networks | Black-box | Classification Models | Arxiv | Link | |
| 2021 | Membership Inference Attacks on Deep Regression Models for Neuroimaging | Black-box | Regression Models | MIDL | Link | |
| 2021 | Membership Inference Attacks on Lottery Ticket Networks | Black-box | Classification Models | ICML Workshop | Link | |
| 2021 | Membership Inference on Word Embedding and Beyond | Black-box | Word Embedding Models | Arxiv | Link | |
| 2021 | EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning | Black-box | Image Encoder Models | CCS | Link |
Attack Papers 2020 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2020 | GECKO: Reconciling Privacy, Accuracy and Efficiency in Embedded Deep Learning | Black-box | Classification Models | NeurIPS Workshop | Link | |
| 2020 | Gan-leaks: A taxonomy of membership inference attacks against generative models | White-box; Black-box | Generative Models | CCS | Link | Link |
| 2020 | Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference | White-box | Classification Models | USENIX Security | Link | |
| 2020 | Information leakage in embedding models | Black-box | Text Embedding Models | CCS | Link | |
| 2020 | When machine unlearning jeopardizes privacy | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Revisiting membership inference under realistic assumptions | Black-box | Classification Models | PoPETs | Link | Link |
| 2020 | Membership inference attacks on sequence-to-sequence models: Is my data in your machine translation system? | Black-box | Text Generation Models | TACL | Link | Link |
| 2020 | Segmentations-leak: Membership inference attacks and defenses in semantic image segmentation | Black-box | Image Segmentation Models | ECCV | Link | Link |
| 2020 | Performing co-membership attacks against deep generative models | White-box | Generative Models | ICDM | Link | |
| 2020 | On the privacy risks of algorithmic fairness | Black-box | Classification Models | EuroS&P | Link | |
| 2020 | A Comprehensive Analysis of Information Leakage in Deep Transfer Learning | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Gan enhanced membership inference: A passive local attack in federated learning | White-box | Classification Models | ICC | Link | |
| 2020 | Privacy analysis of deep learning in the wild: Membership inference attacks against transfer learning | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Data and model dependencies of membership inference attack | Black-box | Classification Models | Arxiv | Link | |
| 2020 | A Pragmatic Approach to Membership Inferences on Machine Learning Models | Black-box | Classification Models | EuroS&P | Link | |
| 2020 | Quantifying Membership Inference Vulnerability via Generalization Gap and Other Model Metrics | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Investigating the Impact of Pre-trained Word Embeddings on Memorization in Neural Networks | Black-box | Word Embedding Models | TSD | Link | |
| 2020 | Beyond Model-Level Membership Privacy Leakage: an Adversarial Approach in Federated Learning | White-box | Classification Models | ICCCN | Link | |
| 2020 | Practical Membership Inference Attack Against Collaborative Inference in Industrial IoT | White-box | Classification Models | IEEE Trans. Industr. Inform. | Link |
Attack Papers 2019 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2019 | Exploiting unintended feature leakage in collaborative learning | White-box | Classification Models | S&P | Link | Link |
| 2019 | Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning | Black-box; White-box | Classification Models | S&P | link | Link |
| 2019 | ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models | Black-box | Classification Models | NDSS | Link | Link |
| 2019 | LOGAN: Membership Inference Attacks Against Generative Models | Black-box; White-box | Generative Models | PoPETs | Link | Link |
| 2019 | White-box vs Black-box: Bayes Optimal Strategies for Membership Inference | Black-box | Classification Models | ICML | Link | |
| 2019 | Auditing data provenance in text-generation models | Black-box | Text Generation Models | KDD | Link | Link |
| 2019 | Socinf: Membership inference attacks on social media health data with machine learning | Black-box | Classification Models | IEEE Trans. Comput. Soc. Syst. | Link | |
| 2019 | Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. | White-box; Black-box | Generative Models | PoPETs | Link | Link |
| 2019 | Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning | Black-box | Classification Models | Arxiv | Link | |
| 2019 | Demystifying the membership inference attack | Black-box | Classification Models | CMI | Link | |
| 2019 | Differential Privacy Defenses and Sampling Attacks for Membership Inference | Black-box | Classification Models | NeurIPS Workshop | Link | |
| 2019 | Privacy Risks of Securing Machine Learning Models against Adversarial Examples | Black-box | Classification Models | CCS | Link | Link |
| 2019 | Membership Inference Attacks against Adversarially Robust Deep Learning Models | Black-box | Classification Models | S&P Workshop | Link | |
| 2019 | Demystifying Membership Inference Attacks in Machine Learning as a Service | Black-box | Classification Models | IEEE Trans. Serv. Comput. | Link |
Attack Papers 2018 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2018 | Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting | Black-box | Classification Models | CSF | Link | Link |
| 2018 | Understanding membership inferences on well-generalized learning models | Black-box | Classification Models | Arxiv | link |
Attack Papers 2017 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2017 | Membership inference attacks against machine learning models | Black-box | Classification Models | S&P | link | Link |
Membership Inference Defense
Defense Papers 2023 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2023 | Mitigating Membership Inference Attacks via Weighted Smoothing | Black-box | Classification Models | ACSAC | Link | Link |
| 2023 | MIST: Defending Against Membership Inference Attacks Through Membership-Invariant Subspace Training | Black-box | Classification Models | Arxiv | Link | |
| 2023 | Overconfidence is a Dangerous Thing: Mitigating Membership Inference Attacks by Enforcing Less Confident Prediction | Black-box | Classification Models | NDSS | Link | Link |
| 2023 | LoDen: Making Every Client in Federated Learning a Defender Against the Poisoning Membership Inference Attacks | White-box; Black-box | Classification Models | Asia CCS | Link | Link |
Defense Papers 2022 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2022 | Defense against membership inference attack in graph neural networks through graph perturbation | White-box | Graph Embedding Models | Int. J. Inf. Secur. | Link | |
| 2022 | Provable Membership Inference Privacy | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2022 | Repeated Knowledge Distillation with Confidence Masking to Mitigate Membership Inference Attacks | White-box; Black-box | Classification Models | AISec | Link | |
| 2022 | NeuGuard: Lightweight Neuron-Guided Defense against Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Defending against Membership Inference Attacks with High Utility by GAN | White-box; Black-box | Classification Models | TDSC | Link | |
| 2022 | RelaxLoss: Defending Membership Inference Attacks without Losing Utility | White-box; Black-box | Classification Models | ICLR | Link | Link |
| 2022 | Assessing Differentially Private Variational Autoencoders under Membership Inference | Black-box | Generative Models | Arxiv | Link | Link |
| 2022 | Membership Privacy Protection for Image Translation Models via Adversarial Knowledge Distillation | Black-box | Image Translation Models | Arxiv | Link | |
| 2022 | MIAShield: Defending Membership Inference Attacks via Preemptive Exclusion of Members | Black-box | Classification Models | Arxiv | Link | |
| 2022 | Privacy-preserving Generative Framework Against Membership Inference Attacks | White-box; Black-box | Classification Models | Arxiv | Link |
Defense Papers 2021 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2021 | Enhanced Mixup Training: a Defense Method Against Membership Inference Attack | Black-box | Classification Models | ISPEC | Link | |
| 2021 | Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture | White-box; Black-box | Classification Models | Arxiv | Link | |
| 2021 | On the privacy-utility trade-off in differentially private hierarchical text classification | White-box | Classification Models | Arxiv | Link | |
| 2021 | MLCapsule: Guarded Offline Deployment of Machine Learning as a Service | Black-box | Classification Models | CVPR | Link | |
| 2021 | Comparing Local and Central Differential Privacy Using Membership Inference Attacks | White-box | Classification Models | DBSec | Link | Link |
| 2021 | Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning | White-box | Classification Models | S&P | Link | |
| 2021 | When Does Data Augmentation Help With Membership Inference Attacks? | Black-box | Classification Models | ICML | Link | Link |
| 2021 | Against Membership Inference Attack: Pruning is All You Need | Black-box | Classification Models | IJCAI | Link | |
| 2021 | Membership Privacy for Machine Learning Models Through Knowledge Transfer | White-box; Black-box | Classification Models | AAAI | Link | |
| 2021 | Quantifying Membership Privacy via Information Leakage | Black-box | Classification Models | IEEE Trans. Inf. Forensics Secur. | Link | |
| 2021 | Membership Inference Attacks and Defenses in Classification Models | Black-box | Classification Models | CODASPY | Link | |
| 2021 | Digestive Neural Networks: A Novel Defense Strategy Against Inference Attacks in Federated Learning | White-box | Classification Models | Computers & Security | Link | |
| 2021 | Resisting Membership Inference Attacks through Knowledge Distillation | Black-box | Classification Models | Neurocomputing | Link | |
| 2021 | privGAN: Protecting GANs from membership inference attacks at low cost to utility | White-box | Generative Models | PoPETs | Link | |
| 2021 | Generating Private Data Surrogates for Vision Related Tasks | White-box | Generative Models | ICPR | Link | |
| 2021 | Membership Inference Attack with Multi-Grade Service Models in Edge Intelligence | Black-box | Classification Models | IEEE Network | Link | |
| 2021 | PAR-GAN: Improving the Generalization of Generative Adversarial Networks Against Membership Inference Attacks | White-box | Generative Models | KDD | Link | Link |
| 2021 | Defending Medical Image Diagnostics against Privacy Attacks using Generative Methods: Application to Retinal Diagnostics | Black-box | Classification Models | MICCAI Workshop | Link | |
| 2021 | Defending Privacy Against More Knowledgeable Membership Inference Attackers | White-box; Black-box | Classification Models | KDD | Link | Link |
Defense Papers 2020 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2020 | Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Differential Privacy Protection Against Membership Inference Attack on Machine Learning for Genomic Data | Black-box | Classification Models | Biocomputing | Link | |
| 2020 | A Secure Federated Learning Framework for 5G Networks | White-box | Classification Models | IEEE Wireless Communications | Link | |
| 2020 | Auditing Differentially Private Machine Learning: How Private is Private SGD? | Black-box | Classification Models | NeurIPS | Link | Link |
| 2020 | Toward Robustness and Privacy in Federated Learning: Experimenting with Local and Central Differential Privacy | White-box | Classification Models | Arxiv | Link | |
| 2020 | Defending Model Inversion and Membership Inference Attacks via Prediction Purification | Black-box | Classification | Arxiv | Link | |
| 2020 | Alleviating Privacy Attacks via Causal Learning | Black-box | Classification Models | ICML | Link | Link |
| 2020 | On the Effectiveness of Regularization Against Membership Inference Attacks | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Characterizing Membership Privacy in Stochastic Gradient Langevin Dynamics | Black-box | Classification Models | AAAI | Link | |
| 2020 | Differentially Private Learning Does Not Bound Membership Inference | Black-box | Classification Models | Arxiv | Link | |
| 2020 | Privacy-Preserving in Defending against Membership Inference Attacks | Black-box | Classification Models | PPMLP | Link |
Defense Papers 2019 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2019 | Evaluating Differentially Private Machine Learning in Practice | Black-box | Classification Models | USENIX Security | Link | Link |
| 2019 | MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples | Black-box | Classification Models | CCS | Link | Link |
| 2019 | Generalization in Generative Adversarial Networks: A Novel Perspective from Privacy Protection | White-box; Black-box | Generative Models | NeurIPS | Link | |
| 2019 | Cronus: Robust and Heterogeneous Collaborative Learning with Black-Box Knowledge Transfer | Black-box | Classification Models | Arxiv | Link | |
| 2019 | ML Defense: Against Prediction API Threats in Cloud-Based Machine Learning Service | Black-box | Classification Models | IWQoS | Link | |
| 2019 | Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability | Black-box | Classification Models | TPS-ISA | Link | |
| 2019 | Generating Artificial Data for Private Deep Learning | Black-box | Generative Models | PAL | Link |
Defense Papers 2018 [Back to Top]
| Year | Title | Adversarial Knowledge | Target Model | Venue | Paper Link | Code Link |
|---|---|---|---|---|---|---|
| 2018 | Machine Learning with Membership Privacy using Adversarial Regularization | Black-box | Classification Models | CCS | Link | Link |
| 2018 | Privacy-preserving Machine Learning through Data Obfuscation | Black-box | Classification Models | Arxiv | Link | |
| 2018 | Differentially Private Data Generative Models | Black-box | Classification Models | Arxiv | Link | |
| 2018 | Membership Inference Attack against Differentially Private Deep Learning Model | Black-box | Classification Models | Transactions on Data Privacy | Link |