The integration of machine learning (ML) in numerous critical applications
introduces a range of privacy concerns for individuals who provide their
datasets for model training. One such privacy risk is Membership Inference
(MI), in which an attacker seeks to determine whether a particular data sample
was included in the training dataset of a model. Current state-of-the-art MI
attacks capitalize on access to the model's predicted confidence scores to
successfully perform membership inference, and employ data poisoning to further
enhance their effectiveness. In this work, we focus on the less explored and
more realistic label-only setting, where the model provides only the predicted
label on a queried sample. We show that existing label-only MI attacks are
ineffective at inferring membership in the low False Positive Rate (FPR)
regime. To address this challenge, we propose a new attack Chameleon that
leverages a novel adaptive data poisoning strategy and an efficient query
selection method to achieve significantly more accurate membership inference
than existing label-only attacks, especially at low FPRs.

利用机器学习在多个关键应用中的整合引入了个人提供数据进行模型训练时的隐私问题，其中一个隐私风险是成员推断（Membership Inference）攻击，攻击者试图确定特定数据样本是否包含在模型的训练数据集中。本文关注较少探索且更为现实的仅标签（label-only）设置，其中模型仅提供对查询样本的预测标签，我们发现现有的仅标签成员推断攻击在低误报率（False Positive Rate，FPR）情况下无法有效推断成员身份。我们针对这一挑战提出一种新攻击方法 Chameleon，利用一种新颖的自适应数据投毒策略和高效的查询选择方法，在低 FPR 情况下显著提高了成员推断的准确性，较现有的仅标签攻击更为有效。

变色龙：通过自适应攻击增加仅标签成员的泄露

Chameleon: Increasing Label-Only Membership Leakage with Adaptive  Poisoning

Membership inference attacks are one of the simplest forms of privacy leakage
for machine learning models: given a data point and model, determine whether
the point was used to train the model. Existing membership inference attacks
exploit models' abnormal confidence when queried on their training data. These
attacks do not apply if the adversary only gets access to models' predicted
labels, without a confidence measure. In this paper, we introduce label-only
membership inference attacks. Instead of relying on confidence scores, our
attacks evaluate the robustness of a model's predicted labels under
perturbations to obtain a fine-grained membership signal. These perturbations
include common data augmentations or adversarial examples. We empirically show
that our label-only membership inference attacks perform on par with prior
attacks that required access to model confidences. We further demonstrate that
label-only attacks break multiple defenses against membership inference attacks
that (implicitly or explicitly) rely on a phenomenon we call confidence
masking. These defenses modify a model's confidence scores in order to thwart
attacks, but leave the model's predicted labels unchanged. Our label-only
attacks demonstrate that confidence-masking is not a viable defense strategy
against membership inference. Finally, we investigate worst-case label-only
attacks, that infer membership for a small number of outlier data points. We
show that label-only attacks also match confidence-based attacks in this
setting. We find that training models with differential privacy and (strong) L2
regularization are the only known defense strategies that successfully prevents
all attacks. This remains true even when the differential privacy budget is too
high to offer meaningful provable guarantees.

本文介绍了一种基于标签的会员推理攻击方法，通过对模型预测标签进行扰动来获取精细的成员信号，该攻击未被置换机密度分数的防御措施所挫败，仅采用差分隐私和（强）L2 正则化等防御策略才能有效地抵御所有攻击。