Membership Inference Attacks and Defenses on Machine Learning Models Literature
A curated list of membership inference attacks and defenses papers on machine learning models.
Paper are sorted by their released dates in descending order.
This repository serves as a complement of the survey below.
Membership Inference Attacks on Machine Learning: A Survey (More than 100 papers reviewed).
@article {hu2022membership ,
title ={ Membership inference attacks on machine learning: A survey} author ={ Hu, Hongsheng and Salcic, Zoran and Sun, Lichao and Dobbie, Gillian and Yu, Philip S and Zhang, Xuyun} journal ={ ACM Computing Surveys (CSUR)} volume ={ 54} number ={ 11s} pages ={ 1--37} year ={ 2022} publisher ={ ACM New York, NY} If you feel this repository is helpful, please help to cite the survey above.
Search keywords like conference name (e.g., CCS), adversarial knowledge (e.g., Black-box), or target model (e.g., Classification Model) over the webpage to quickly locate related papers.
Attack papers sorted by year: |2023 |2022 |2021 | 2020 | 2019 | 2018 | 2017 |
Defense papers sorted by year: | 2022 | 2021 | 2020 | 2019 | 2018 |
Membership Inference Attack
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2023
AgrEvader: Poisoning Membership Inference against Byzantine-robust Federated Learning White-box
Classification Models
WWW
Link Link
2023
Membership Inference Attacks Against Sequential Recommender Systems Black-box
Recommender System
WWW
Link
2023
A Blessing of Dimensionality in Membership Inference through Regularization Black-box
Classification Models
AISTATS
Link Link
2023
Active Membership Inference Attack under Local Differential Privacy in Federated Learning White-box
Classification Models
AISTATS
Link Link
2023
Membership Inference Attacks against Synthetic Data through Overfitting Detection Black-box
Generative models
AISTATS
Link Link
2023
Students Parrot Their Teachers: Membership Inference on Model Distillation Black-box
Classification Models
Arxiv
Link
2023
Membership Inference Attacks against Diffusion Models White-box; Black-box
Generative Models
Arxiv
Link
2023
Interaction-level Membership Inference Attack Against Federated Recommender Systems White-box
Recommender System
WWW
Link
2023
Are Diffusion Models Vulnerable to Membership Inference Attacks? Black-box
Generative Models
Arxiv
Link
2023
Accuracy-Privacy Trade-off in Deep Ensemble: A Membership Inference Perspective Black-box
Classification Models
S&P
Link Link
2023
Membership Inference of Diffusion Models Black-box
Generative Models
Arxiv
Link
2023
MiDA: Membership inference attacks against domain adaptation Black-box
Classification Models
ISA Transactions
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2022
On the Discredibility of Membership Inference Attacks Black-box
Classification Models
Arxiv
Link
2022
Membership Inference Attacks Against Semantic Segmentation Models Black-box
Semantic Segmentation Models
Arxiv
Link Link
2022
Similarity Distribution based Membership Inference Attack on Person Re-identification Black-box
Person Re-identification
AAAI
Link
2022
Amplifying Membership Exposure via Data Poisoning Black-box
Classification Models
NeurIPS
Link Link
2022
Canary in a Coalmine: Better Membership Inference with Ensembled Adversarial Queries Black-box
Classification Models
Arxiv
Link Link
2022
Membership Inference Attacks Against Text-to-image Generation Models Black-box
Text-to-image Models
Arxiv
Link
2022
Membership Inference Attacks Against Robust Graph Neural Network Black-box
Classification Models
CSS
Link
2022
No-Label User-Level Membership Inference for ASR Model Auditing Balck-box
Automatic Speech Recognition Model
ESORICS
Link
2022
Membership Inference Attacks and Generalization: A Causal Perspective Black-box; White-box
Classification Models
CCS
Link
2022
M^4I: Multi-modal Models Membership Inference Black-box
Multi-modal Models
NeurIPS
Link Link
2022
Membership Inference Attacks by Exploiting Loss Trajectory Black-box
Classification Models
CCS
Link Link
2022
Auditing Membership Leakages of Multi-Exit Networks White-box; Black-box
Classification Models
CCS
Link Link
2022
Label-Only Membership Inference Attack against Node-Level Graph Neural Networks Black-box
Classification Models
Arxiv
Link
2022
Membership-Doctor: Comprehensive Assessment of Membership Inference Against Machine Learning Models Black-box
Classification Models
Arxiv
Link
2022
On the Privacy Effect of Data Enhancement via the Lens of Memorization Black-box
Classification Models
Arxiv
Link
2022
Membership Inference Attacks via Adversarial Examples White-box
Classification Models
Arxiv
Link
2022
Label-Only Membership Inference Attack against Node-Level Graph Neural Networks Black-box
Classification Models
Arxiv
Link
2022
Semi-Leak: Membership Inference Attacks Against Semi-supervised Learning Black-box
Semi-supervised Learning Models
ECCV
Link Link
2022
Debiasing Learning for Membership Inference Attacks Against Recommender Systems Black-box
Recommender System
KDD
Link
2022
Membership Inference via Backdooring Black-box
Classification Models
IJCAI
Link Link
2022
Membership Inference Attacks Against Machine Learning Models via Prediction Sensitivity Black-box
Classification Models
IEEE Trans Dependable Secure Comput
Link Link
2022
Subject Membership Inference Attacks in Federated Learning White-box
Classification Models
Arxiv
Link
2022
Membership Feature Disentanglement Network White-box
Classification Models
ASIA CCS
Link
2022
Understanding Disparate Effects of Membership Inference Attacks and their Countermeasures Black-box
Classification Models
ASIA CCS
Link
2022
l-Leaks:Membership Inference Attacks with Logits Black-box
Classification Models
Arxiv
Link
2022
CS-MIA: Membership inference attack based on prediction confidence series in federated learning White-box
Classification Models
J. Inf. Secur. Appl
Link
2022
Evaluating Membership Inference Through Adversarial Robustnes White-box
Classfication Models
The Computer Journal
Link Link
2022
How to Combine Membership-Inference Attacks on Multiple Updated Models Black-box
Classification Models
Arxiv
Link Link
2022
An Efficient Subpopulation-based Membership Inference Attack Black-box
Classification Models
Arxiv
Link
2022
Assessing the Impact of Membership Inference Attacks on Classical Machine Learning Algorithms Black-box
Classification Models
DRCN
Link Link
2022
Optimal Membership Inference Bounds for Adaptive Composition of Sampled Gaussian Mechanisms White-box; Black-box
Classification Models
Arxiv
Link
2022
Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning White-box
Classification Models
Arxiv
Link Link
2022
Leveraging Adversarial Examples to Quantify Membership Information Leakage White-box; Black-box
Classification Models
CVPR
Link Link
2022
Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks Black-box
Masked Language Models
Arxiv
Link
2022
User-Level Membership Inference Attack against Metric Embedding Learning Black-box
Metric Embedding Models
Arxiv
Link
2022
Label-Only Membership Inference Attacks and Defenses In Semantic Segmentation Models Black-box
Segmentation Models
IEEE Trans Dependable Secure Comput
Link
2022
Membership Inference Attacks and Defenses in Neural Network Pruning Black-box
Classification Models
USENIX Security
Link Link
2022
Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference Black-box
Regression Models
Arxiv
Link
2022
LTU Attacker for Membership Inference White-box; Black-box
Classification Models
AAAI Workshop
Link Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2021
Membership Inference Attacks From First Principles White-box; Black-box
Classification Models
Arxiv
Link
2021
SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning Black-box
Classification Models
Arxiv
Link
2021
Enhanced Membership Inference Attacks against Machine Learning Models Black-box
Classification Models
Arxiv
Link Link
2021
Do Not Trust Prediction Scores for Membership Inference Attacks Black-box
Classification Models
IJCAI
Link Link
2021
On the Importance of Difficulty Calibration in Membership Inference Attacks White-box
Classification Models
Arxiv
Link
2021
Membership Inference Attacks against GANs by Leveraging Over-representation Regions White-box
Generative Models
CCS
Link
2021
Membership Inference Attacks Against Recommender Systems Black-box
Recommender Systems
CCS
Link Link
2021
Source Inference Attacks in Federated Learning Black-box
Classifcation Models
ICDM
Link Link
2021
Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and Implications Black-box
Classification Models
ICDM
Link Link
2021
On The Vulnerability of Recurrent Neural Networks to Membership Inference Attacks Black-box
Text Generation Models
Arxiv
Link Link
2021
On the Difficulty of Membership Inference Attacks White-box
Classification Models
CVPR
Link Link
2021
Quantifying Privacy Leakage in Graph Embedding White-box; Black-box
Graph Embedding Models
NeurIPS Workshop
Link Link
2021
Label-only membership inference attacks Black-box
Classification Models
ICML
Link Link
2021
On the Privacy Risks of Model Explanations Black-box
Classification Models
AIES
Link
2021
Systematic evaluation of privacy risks of machine learning models White-box; Black-box
Classification Models
USENIX Security
Link Link
2021
Practical blind membership inference attack via differential comparisons Black-box
Classification Models
NDSS
Link Link
2021
On the (In) Feasibility of Attribute Inference Attacks on Machine Learning Models White-box; Black-box
Classification Models
EuroS&P
Link
2021
Bounding Information Leakage in Machine Learning White-box
Classification Models
Arxiv
Link
2021
How Does Data Augmentation Affect Privacy in Machine Learning? Black-box
Classification Models
AAAI
Link Link
2021
Node-Level Membership Inference Attacks Against Graph Neural Networks Black-box
Classification Models
Arxiv
Link
2021
The Audio Auditor: User-Level Membership Inference in Internet of Things Voice Services Black-box
Automatic Speech Recognition Model
PoPETs
Link
2021
Reconstruction-Based Membership Inference Attacks are Easier on Difficult Problems Black-box
Image Translation Models; Image Segmentation Models
ICCV
Link Link
2021
This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces Black-box
Generative Models
Arxiv
link
2021
Membership Inference Attack Susceptibility of Clinical Language Models White-box; Black-box
Clinical Language Models
Arxiv
Link
2021
Killing four birds with one Gaussian process: the relation between different test-time attacks Black-box
Classification Models
ICPR
Link
2021
Evaluating the Vulnerability of End-to-End Automatic Speech Recognition Models To Membership Inference Attacks Black-box
Speech Recognition Models
Interspeech
Link
2021
Membership Inference Attacks on Knowledge Graphs Black-box
Knowledge Graph Embedding Models
Arxiv
Link
2021
Membership Leakage in Label-Only Exposures Black-box
Classification Models
CCS
Link
2021
Membership inference attack on graph neural networks Black-box
Classification Models
Arxiv
Link
2021
Membership Inference Attacks on Deep Regression Models for Neuroimaging Black-box
Regression Models
MIDL
Link
2021
Membership Inference Attacks on Lottery Ticket Networks Black-box
Classification Models
ICML Workshop
Link
2021
Membership Inference on Word Embedding and Beyond Black-box
Word Embedding Models
Arxiv
Link
2021
EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning Black-box
Image Encoder Models
CCS
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2020
GECKO: Reconciling Privacy, Accuracy and Efficiency in Embedded Deep Learning Black-box
Classification Models
NeurIPS Workshop
Link
2020
Gan-leaks: A taxonomy of membership inference attacks against generative models White-box; Black-box
Generative Models
CCS
Link Link
2020
Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference White-box
Classification Models
USENIX Security
Link
2020
Information leakage in embedding models Black-box
Text Embedding Models
CCS
Link
2020
When machine unlearning jeopardizes privacy Black-box
Classification Models
Arxiv
Link
2020
Revisiting membership inference under realistic assumptions Black-box
Classification Models
PoPETs
Link Link
2020
Membership inference attacks on sequence-to-sequence models: Is my data in your machine translation system? Black-box
Text Generation Models
TACL
Link Link
2020
Segmentations-leak: Membership inference attacks and defenses in semantic image segmentation Black-box
Image Segmentation Models
ECCV
Link Link
2020
Performing co-membership attacks against deep generative models White-box
Generative Models
ICDM
Link
2020
On the privacy risks of algorithmic fairness Black-box
Classification Models
EuroS&P
Link
2020
A Comprehensive Analysis of Information Leakage in Deep Transfer Learning Black-box
Classification Models
Arxiv
Link
2020
Gan enhanced membership inference: A passive local attack in federated learning White-box
Classification Models
ICC
Link
2020
Privacy analysis of deep learning in the wild: Membership inference attacks against transfer learning Black-box
Classification Models
Arxiv
Link
2020
Data and model dependencies of membership inference attack Black-box
Classification Models
Arxiv
Link
2020
A Pragmatic Approach to Membership Inferences on Machine Learning Models Black-box
Classification Models
EuroS&P
Link
2020
Quantifying Membership Inference Vulnerability via Generalization Gap and Other Model Metrics Black-box
Classification Models
Arxiv
Link
2020
Investigating the Impact of Pre-trained Word Embeddings on Memorization in Neural Networks Black-box
Word Embedding Models
TSD
Link
2020
Beyond Model-Level Membership Privacy Leakage: an Adversarial Approach in Federated Learning White-box
Classification Models
ICCCN
Link
2020
Practical Membership Inference Attack Against Collaborative Inference in Industrial IoT White-box
Classification Models
IEEE Trans. Industr. Inform.
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2019
Exploiting unintended feature leakage in collaborative learning White-box
Classification Models
S&P
Link Link
2019
Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning Black-box; White-box
Classification Models
S&P
link Link
2019
ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models Black-box
Classification Models
NDSS
Link Link
2019
LOGAN: Membership Inference Attacks Against Generative Models Black-box; White-box
Generative Models
PoPETs
Link Link
2019
White-box vs Black-box: Bayes Optimal Strategies for Membership Inference Black-box
Classification Models
ICML
Link
2019
Auditing data provenance in text-generation models Black-box
Text Generation Models
KDD
Link Link
2019
Socinf: Membership inference attacks on social media health data with machine learning Black-box
Classification Models
IEEE Trans. Comput. Soc. Syst.
Link
2019
Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models. White-box; Black-box
Generative Models
PoPETs
Link Link
2019
Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning Black-box
Classification Models
Arxiv
Link
2019
Demystifying the membership inference attack Black-box
Classification Models
CMI
Link
2019
Differential Privacy Defenses and Sampling Attacks for Membership Inference Black-box
Classification Models
NeurIPS Workshop
Link
2019
Privacy Risks of Securing Machine Learning Models against Adversarial Examples Black-box
Classification Models
CCS
Link Link
2019
Membership Inference Attacks against Adversarially Robust Deep Learning Models Black-box
Classification Models
S&P Workshop
Link
2019
Demystifying Membership Inference Attacks in Machine Learning as a Service Black-box
Classification Models
IEEE Trans. Serv. Comput.
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2018
Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting Black-box
Classification Models
CSF
Link Link
2018
Understanding membership inferences on well-generalized learning models Black-box
Classification Models
Arxiv
link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2017
Membership inference attacks against machine learning models Black-box
Classification Models
S&P
link Link
Membership Inference Defense
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2022
Defense against membership inference attack in graph neural networks through graph perturbation White-box
Graph Embedding Models
Int. J. Inf. Secur.
Link
2022
Provable Membership Inference Privacy White-box; Black-box
Classification Models
Arxiv
Link
2022
Repeated Knowledge Distillation with Confidence Masking to Mitigate Membership Inference Attacks White-box; Black-box
Classification Models
AISec
Link
2022
NeuGuard: Lightweight Neuron-Guided Defense against Membership Inference Attacks Black-box
Classification Models
Arxiv
Link
2022
Defending against Membership Inference Attacks with High Utility by GAN White-box; Black-box
Classification Models
TDSC
Link
2022
RelaxLoss: Defending Membership Inference Attacks without Losing Utility White-box; Black-box
Classification Models
ICLR
Link Link
2022
Assessing Differentially Private Variational Autoencoders under Membership Inference Black-box
Generative Models
Arxiv
Link Link
2022
Membership Privacy Protection for Image Translation Models via Adversarial Knowledge Distillation Black-box
Image Translation Models
Arxiv
Link
2022
MIAShield: Defending Membership Inference Attacks via Preemptive Exclusion of Members Black-box
Classification Models
Arxiv
Link
2022
Privacy-preserving Generative Framework Against Membership Inference Attacks White-box; Black-box
Classification Models
Arxiv
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2021
Enhanced Mixup Training: a Defense Method Against Membership Inference Attack Black-box
Classification Models
ISPEC
Link
2021
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture White-box; Black-box
Classification Models
Arxiv
Link
2021
On the privacy-utility trade-off in differentially private hierarchical text classification White-box
Classification Models
Arxiv
Link
2021
MLCapsule: Guarded Offline Deployment of Machine Learning as a Service Black-box
Classification Models
CVPR
Link
2021
Comparing Local and Central Differential Privacy Using Membership Inference Attacks White-box
Classification Models
DBSec
Link Link
2021
Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning White-box
Classification Models
S&P
Link
2021
When Does Data Augmentation Help With Membership Inference Attacks? Black-box
Classification Models
ICML
Link Link
2021
Against Membership Inference Attack: Pruning is All You Need Black-box
Classification Models
IJCAI
Link
2021
Membership Privacy for Machine Learning Models Through Knowledge Transfer White-box; Black-box
Classification Models
AAAI
Link
2021
Quantifying Membership Privacy via Information Leakage Black-box
Classification Models
IEEE Trans. Inf. Forensics Secur.
Link
2021
Membership Inference Attacks and Defenses in Classification Models Black-box
Classification Models
CODASPY
Link
2021
Digestive Neural Networks: A Novel Defense Strategy Against Inference Attacks in Federated Learning White-box
Classification Models
Computers & Security
Link
2021
Resisting Membership Inference Attacks through Knowledge Distillation Black-box
Classification Models
Neurocomputing
Link
2021
privGAN: Protecting GANs from membership inference attacks at low cost to utility White-box
Generative Models
PoPETs
Link
2021
Generating Private Data Surrogates for Vision Related Tasks White-box
Generative Models
ICPR
Link
2021
Membership Inference Attack with Multi-Grade Service Models in Edge Intelligence Black-box
Classification Models
IEEE Network
Link
2021
PAR-GAN: Improving the Generalization of Generative Adversarial Networks Against Membership Inference Attacks White-box
Generative Models
KDD
Link Link
2021
Defending Medical Image Diagnostics against Privacy Attacks using Generative Methods: Application to Retinal Diagnostics Black-box
Classification Models
MICCAI Workshop
Link
2021
Defending Privacy Against More Knowledgeable Membership Inference Attackers White-box; Black-box
Classification Models
KDD
Link Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2020
Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack Black-box
Classification Models
Arxiv
Link
2020
Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack Black-box
Classification Models
Arxiv
Link
2020
Differential Privacy Protection Against Membership Inference Attack on Machine Learning for Genomic Data Black-box
Classification Models
Biocomputing
Link
2020
A Secure Federated Learning Framework for 5G Networks White-box
Classification Models
IEEE Wireless Communications
Link
2020
Auditing Differentially Private Machine Learning: How Private is Private SGD? Black-box
Classification Models
NeurIPS
Link Link
2020
Toward Robustness and Privacy in Federated Learning: Experimenting with Local and Central Differential Privacy White-box
Classification Models
Arxiv
Link
2020
Defending Model Inversion and Membership Inference Attacks via Prediction Purification Black-box
Classification
Arxiv
Link
2020
Alleviating Privacy Attacks via Causal Learning Black-box
Classification Models
ICML
Link Link
2020
On the Effectiveness of Regularization Against Membership Inference Attacks Black-box
Classification Models
Arxiv
Link
2020
Characterizing Membership Privacy in Stochastic Gradient Langevin Dynamics Black-box
Classification Models
AAAI
Link
2020
Differentially Private Learning Does Not Bound Membership Inference Black-box
Classification Models
Arxiv
Link
2020
Privacy-Preserving in Defending against Membership Inference Attacks Black-box
Classification Models
PPMLP
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2019
Evaluating Differentially Private Machine Learning in Practice Black-box
Classification Models
USENIX Security
Link Link
2019
MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples Black-box
Classification Models
CCS
Link Link
2019
Generalization in Generative Adversarial Networks: A Novel Perspective from Privacy Protection White-box; Black-box
Generative Models
NeurIPS
Link
2019
Cronus: Robust and Heterogeneous Collaborative Learning with Black-Box Knowledge Transfer Black-box
Classification Models
Arxiv
Link
2019
ML Defense: Against Prediction API Threats in Cloud-Based Machine Learning Service Black-box
Classification Models
IWQoS
Link
2019
Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability Black-box
Classification Models
TPS-ISA
Link
2019
Generating Artificial Data for Private Deep Learning Black-box
Generative Models
PAL
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2018
Machine Learning with Membership Privacy using Adversarial Regularization Black-box
Classification Models
CCS
Link Link
2018
Privacy-preserving Machine Learning through Data Obfuscation Black-box
Classification Models
Arxiv
Link
2018
Differentially Private Data Generative Models Black-box
Classification Models
Arxiv
Link
2018
Membership Inference Attack against Differentially Private Deep Learning Model Black-box
Classification Models
Transactions on Data Privacy
Link
