Masked Image Modeling (MIM) has achieved significant success in the realm of self-supervised learning (SSL) for visual recognition. The image encoder pre-trained through MIM, involving the masking and subsequent reconstruction of input images, attains state-of-the-art performance in various downstream vision tasks. However, most existing works focus on improving the performance of MIM.In this work, we take a different angle by studying the pre-training data privacy of MIM. Specifically, we propose the first membership inference attack against image encoders pre-trained by MIM, which aims to determine whether an image is part of the MIM pre-training dataset. The key design is to simulate the pre-training paradigm of MIM, i.e., image masking and subsequent reconstruction, and then obtain reconstruction errors. These reconstruction errors can serve as membership signals for achieving attack goals, as the encoder is more capable of reconstructing the input image in its training set with lower errors. Extensive evaluations are conducted on three model architectures and three benchmark datasets. Empirical results show that our attack outperforms baseline methods. Additionally, we undertake intricate ablation studies to analyze multiple factors that could influence the performance of the attack.

本研究关注于掩蔽图像建模（MIM）在视觉识别中的数据隐私问题，提出了首个针对MIM预训练图像编码器的成员推断攻击方法。通过模拟MIM的预训练过程并获取重建误差，研究显示该攻击能够有效识别图像是否属于预训练数据集，相较于基线方法取得了更优异的结果，揭示了MIM在隐私保护方面的潜在风险。

针对掩蔽图像建模的成员推断攻击