Machine learning models have been shown to leak information violating the
privacy of their training set. We focus on membership inference attacks on
machine learning models which aim to determine whether a data point was used to
train the victim model. Our work consists of two sides: We introduce sampling
attack, a novel membership inference technique that unlike other standard
membership adversaries is able to work under severe restriction of no access to
scores of the victim model. We show that a victim model that only publishes the
labels is still susceptible to sampling attacks and the adversary can recover
up to 100% of its performance compared to when posterior vectors are provided.
The other sides of our work includes experimental results on two recent
membership inference attack models and the defenses against them. For defense,
we choose differential privacy in the form of gradient perturbation during the
training of the victim model as well as output perturbation at prediction time.
We carry out our experiments on a wide range of datasets which allows us to
better analyze the interaction between adversaries, defense mechanism and
datasets. We find out that our proposed fast and easy-to-implement output
perturbation technique offers good privacy protection for membership inference
attacks at little impact on utility.

该研究关注于机器学习模型中有关成员推断攻击的问题，并提出了一种新的会员推断技术 —— 抽样攻击，进一步研究了两种最近的攻击模型以及针对这些攻击的防御方法，最终发现在预测输出时的输出微扰技术是一种简单易行的隐私保护方法，对预测结果的影响较小。

采样攻击：通过重复查询放大成员推断攻击

Sampling Attacks: Amplification of Membership Inference Attacks by  Repeated Queries

Private regression has received attention from both database and security
communities. Recent work by Fredrikson et al. (USENIX Security 2014) analyzed
the functional mechanism (Zhang et al. VLDB 2012) for training linear
regression models over medical data. Unfortunately, they found that model
accuracy is already unacceptable with differential privacy when $\varepsilon =
5$. We address this issue, presenting an explicit connection between
differential privacy and stable learning theory through which a substantially
better privacy/utility tradeoff can be obtained. Perhaps more importantly, our
theory reveals that the most basic mechanism in differential privacy, output
perturbation, can be used to obtain a better tradeoff for all
convex-Lipschitz-bounded learning tasks. Since output perturbation is simple to
implement, it means that our approach is potentially widely applicable in
practice. We go on to apply it on the same medical data as used by Fredrikson
et al. Encouragingly, we achieve accurate models even for $\varepsilon = 0.1$.
In the last part of this paper, we study the impact of our improved
differentially private mechanisms on model inversion attacks, a privacy attack
introduced by Fredrikson et al. We observe that the improved tradeoff makes the
resulting differentially private model more susceptible to inversion attacks.
We analyze this phenomenon formally.

通过差分隐私和稳定学习理论的显式连接，提出了一种更好的隐私 / 实用性权衡方法，以便为所有凸型 Lipschitz 有界学习任务获得更好的权衡，并将其应用在医疗数据上，以获得更准确的模型。但改进后的隐私机制使得不同隐私机制更容易受到模型反演攻击的影响。