Membership Inference Attacks (MIAs) aim to identify specific data samples
within the private training dataset of machine learning models, leading to
serious privacy violations and other sophisticated threats. Many practical
black-box MIAs require query access to the data distribution (the same
distribution where the private data is drawn) to train shadow models. By doing
so, the adversary obtains models trained "with" or "without" samples drawn from
the distribution, and analyzes the characteristics of the samples under
consideration. The adversary is often required to train more than hundreds of
shadow models to extract the signals needed for MIAs; this becomes the
computational overhead of MIAs. In this paper, we propose that by strategically
choosing the samples, MI adversaries can maximize their attack success while
minimizing the number of shadow models. First, our motivational experiments
suggest memorization as the key property explaining disparate sample
vulnerability to MIAs. We formalize this through a theoretical bound that
connects MI advantage with memorization. Second, we show sample complexity
bounds that connect the number of shadow models needed for MIAs with
memorization. Lastly, we confirm our theoretical arguments with comprehensive
experiments; by utilizing samples with high memorization scores, the adversary
can (a) significantly improve its efficacy regardless of the MIA used, and (b)
reduce the number of shadow models by nearly two orders of magnitude compared
to state-of-the-art approaches.

该研究通过选择具有高记忆得分的样本，旨在最大化攻击成功的同时，将阴影模型的数量减少近两个数量级，并且通过了全面的实验验证。

为什么要训练更多？通过记忆进行有效和高效的成员推断

Why Train More? Effective and Efficient Membership Inference via  Memorization

Membership inference attacks are designed to determine, using black box
access to trained models, whether a particular example was used in training or
not. Membership inference can be formalized as a hypothesis testing problem.
The most effective existing attacks estimate the distribution of some test
statistic (usually the model's confidence on the true label) on points that
were (and were not) used in training by training many \emph{shadow models} --
i.e. models of the same architecture as the model being attacked, trained on a
random subsample of data. While effective, these attacks are extremely
computationally expensive, especially when the model under attack is large.
We introduce a new class of attacks based on performing quantile regression
on the distribution of confidence scores induced by the model under attack on
points that are not used in training. We show that our method is competitive
with state-of-the-art shadow model attacks, while requiring substantially less
compute because our attack requires training only a single model. Moreover,
unlike shadow model attacks, our proposed attack does not require any knowledge
of the architecture of the model under attack and is therefore truly
``black-box". We show the efficacy of this approach in an extensive series of
experiments on various datasets and model architectures.

成员推断攻击是为了确定一个特定的示例是否被用于训练，采用黑盒访问已训练模型。我们引入了一种新类型的攻击，基于对在训练中未使用的数据上由被攻击模型诱导的置信分数的分位回归。我们通过大量的实验展示了该方法在各种数据集和模型架构上的有效性。

基于分位数回归的可扩展成员推断攻击

Scalable Membership Inference Attacks via Quantile Regression

Membership inference (MI) attacks affect user privacy by inferring whether
given data samples have been used to train a target learning model, e.g., a
deep neural network. There are two types of MI attacks in the literature, i.e.,
these with and without shadow models. The success of the former heavily depends
on the quality of the shadow model, i.e., the transferability between the
shadow and the target; the latter, given only blackbox probing access to the
target model, cannot make an effective inference of unknowns, compared with MI
attacks using shadow models, due to the insufficient number of qualified
samples labeled with ground truth membership information.
In this paper, we propose an MI attack, called BlindMI, which probes the
target model and extracts membership semantics via a novel approach, called
differential comparison. The high-level idea is that BlindMI first generates a
dataset with nonmembers via transforming existing samples into new samples, and
then differentially moves samples from a target dataset to the generated,
non-member set in an iterative manner. If the differential move of a sample
increases the set distance, BlindMI considers the sample as non-member and vice
versa.
BlindMI was evaluated by comparing it with state-of-the-art MI attack
algorithms. Our evaluation shows that BlindMI improves F1-score by nearly 20%
when compared to state-of-the-art on some datasets, such as Purchase-50 and
Birds-200, in the blind setting where the adversary does not know the target
model's architecture and the target dataset's ground truth labels. We also show
that BlindMI can defeat state-of-the-art defenses.

该文提出了一种新的成员推断 (Membership Inference) 攻击方法 BlindMI，该方法通过差分比较探测目标模型并提取成员语义，并且在某些数据集上相对于现有的成员推断攻击算法能够提高 F1-score 约 20%。