Membership Inference Attack in Face of Data Transformations

Abstract

Membership inference attacks (MIAs) on machine learning models, which try to infer whether a sample is in the training dataset of a target model, have been widely studied over recent years as data privacy attracts increasing attention. One unignorable problem in the current MIA threat model is that it assumes the attacker always obtains exactly the same samples as in the training set. In reality, however, the attacker is more likely to gather only a transformed version of the training samples. For instance, portraits downloadable from a social networking website usually are re-scaled and compressed, while the website owner can train models with RAW images. We believe a transformed training sample still causes privacy leakage if the transformation is semantic-preserving. Therefore, we broaden the concept of membership inference into more realistic scenarios by considering data transformations. We introduce two strategies for designing MIAs in face of data transformations: one adapts current MIAs to transformations, and the other tries to reverse the transformations approximately. We demonstrated the effectiveness of our strategies and the significance of considering data transformations by extensive evaluations of multiple datasets with several common data transformations and by comparisons with six state-of-the-art attacks. Moreover, we conduct evaluations on data-augmented and privacy-preserving models protected by three state-of-the-art defenses.