Membership Inference Attacks and Defenses on Machine Learning Models Literature
A curated list of membership inference attacks and defenses papers on machine learning models.
Paper are sorted by their released dates in descending order.
This repository serves as a complement of the survey below.
Membership Inference Attacks on Machine Learning: A Survey (More than 100 papers reviewed).
@article {hu2021membership ,
title ={ Membership inference attacks on machine learning: A survey} ,
author ={ Hu, Hongsheng and Salcic, Zoran and Sun, Lichao and Dobbie, Gillian and Yu, Philip S and Zhang, Xuyun} ,
journal ={ ACM Computing Surveys (CSUR)} ,
year ={ 2021} ,
publisher ={ ACM New York, NY}
}
If you feel this repository is helpful, please cite the survey above.
Search keywords like conference name (e.g., CCS
), adversarial knowledge (e.g., Black-box
), or target model (e.g., Classification Model
) over the webpage to quickly locate related papers.
Attack papers sorted by year: |2022 |2021 | 2020 | 2019 | 2018 | 2017 |
Defense papers sorted by year: | 2022 | 2021 | 2020 | 2019 | 2018 |
Membership Inference Attack
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2022
Assessing the Impact of Membership Inference Attacks on Classical Machine Learning Algorithms
Black-box
Classification Models
DRCN
Link
Link
2022
Optimal Membership Inference Bounds for Adaptive Composition of Sampled Gaussian Mechanisms
White-box; Black-box
Classification Models
Arxiv
Link
2022
Perfectly Accurate Membership Inference by a Dishonest Central Server in Federated Learning
White-box
Classification Models
Arxiv
Link
Link
2022
Leveraging Adversarial Examples to Quantify Membership Information Leakage
White-box; Black-box
Classification Models
CVPR
Link
Link
2022
Quantifying Privacy Risks of Masked Language Models Using Membership Inference Attacks
Black-box
Masked Language Models
Arxiv
Link
2022
User-Level Membership Inference Attack against Metric Embedding Learning
Black-box
Metric Embedding Models
Arxiv
Link
2022
Label-Only Membership Inference Attacks and Defenses In Semantic Segmentation Models
Black-box
Segmentation Models
IEEE Trans Dependable Secure Comput
Link
2022
Membership Inference Attacks and Defenses in Neural Network Pruning
Black-box
Classification Models
USENIX Security
Link
Link
2022
Parameters or Privacy: A Provable Tradeoff Between Overparameterization and Membership Inference
Black-box
Regression Models
Arxiv
Link
2022
LTU Attacker for Membership Inference
White-box; Black-box
Classification Models
AAAI Workshop
Link
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2021
Membership Inference Attacks From First Principles
White-box; Black-box
Classification Models
Arxiv
Link
2021
SHAPr: An Efficient and Versatile Membership Privacy Risk Metric for Machine Learning
Black-box
Classification Models
Arxiv
Link
2021
Enhanced Membership Inference Attacks against Machine Learning Models
Black-box
Classification Models
Arxiv
Link
Link
2021
Do Not Trust Prediction Scores for Membership Inference Attacks
Black-box
Classification Models
Arxiv
Link
Link
2021
On the Importance of Difficulty Calibration in Membership Inference Attacks
White-box
Classification Models
Arxiv
Link
2021
Membership Inference Attacks against GANs by Leveraging Over-representation Regions
White-box
Generative Models
CCS
Link
2021
Membership Inference Attacks Against Recommender Systems
Black-box
Recommender Systems
CCS
Link
Link
2021
Source Inference Attacks in Federated Learning
Black-box
Classifcation Models
ICDM
Link
Link
2021
Adapting Membership Inference Attacks to GNN for Graph Classification: Approaches and Implications
Black-box
Classification Models
ICDM
Link
Link
2021
On The Vulnerability of Recurrent Neural Networks to Membership Inference Attacks
Black-box
Text Generation Models
Arxiv
Link
Link
2021
On the Difficulty of Membership Inference Attacks
White-box
Classification Models
CVPR
Link
Link
2021
Quantifying Privacy Leakage in Graph Embedding
White-box; Black-box
Graph Embedding Models
NeurIPS Workshop
Link
Link
2021
Label-only membership inference attacks
Black-box
Classification Models
ICML
Link
Link
2021
On the Privacy Risks of Model Explanations
Black-box
Classification Models
AIES
Link
2021
Systematic evaluation of privacy risks of machine learning models
White-box; Black-box
Classification Models
USENIX Security
Link
Link
2021
Practical blind membership inference attack via differential comparisons
Black-box
Classification Models
NDSS
Link
Link
2021
On the (In) Feasibility of Attribute Inference Attacks on Machine Learning Models
White-box; Black-box
Classification Models
EuroS&P
Link
2021
Bounding Information Leakage in Machine Learning
White-box
Classification Models
Arxiv
Link
2021
How Does Data Augmentation Affect Privacy in Machine Learning?
Black-box
Classification Models
AAAI
Link
Link
2021
Node-Level Membership Inference Attacks Against Graph Neural Networks
Black-box
Classification Models
Arxiv
Link
2021
The Audio Auditor: User-Level Membership Inference in Internet of Things Voice Services
Black-box
Automatic Speech Recognition Model
PoPETs
Link
2021
Reconstruction-Based Membership Inference Attacks are Easier on Difficult Problems
Black-box
Image Translation Models; Image Segmentation Models
ICCV
Link
Link
2021
This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces
Black-box
Generative Models
Arxiv
link
2021
Membership Inference Attack Susceptibility of Clinical Language Models
White-box; Black-box
Clinical Language Models
Arxiv
Link
2021
Killing four birds with one Gaussian process: the relation between different test-time attacks
Black-box
Classification Models
ICPR
Link
2021
Evaluating the Vulnerability of End-to-End Automatic Speech Recognition Models To Membership Inference Attacks
Black-box
Speech Recognition Models
Interspeech
Link
2021
Membership Inference Attacks on Knowledge Graphs
Black-box
Knowledge Graph Embedding Models
Arxiv
Link
2021
Membership Leakage in Label-Only Exposures
Black-box
Classification Models
CCS
Link
2021
Membership inference attack on graph neural networks
Black-box
Classification Models
Arxiv
Link
2021
Membership Inference Attacks on Deep Regression Models for Neuroimaging
Black-box
Regression Models
MIDL
Link
2021
Membership Inference Attacks on Lottery Ticket Networks
Black-box
Classification Models
ICML Workshop
Link
2021
Membership Inference on Word Embedding and Beyond
Black-box
Word Embedding Models
Arxiv
Link
2021
EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning
Black-box
Image Encoder Models
CCS
Link
2021
Membership Inference Attacks Against Recommender Systems
Black-box
Recommender System
CCS
Link
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2020
GECKO: Reconciling Privacy, Accuracy and Efficiency in Embedded Deep Learning
Black-box
Classification Models
NeurIPS Workshop
Link
2020
Gan-leaks: A taxonomy of membership inference attacks against generative models
White-box; Black-box
Generative Models
CCS
Link
Link
2020
Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference
White-box
Classification Models
USENIX Security
Link
2020
Information leakage in embedding models
Black-box
Text Embedding Models
CCS
Link
2020
When machine unlearning jeopardizes privacy
Black-box
Classification Models
Arxiv
Link
2020
Revisiting membership inference under realistic assumptions
Black-box
Classification Models
PoPETs
Link
Link
2020
Membership inference attacks on sequence-to-sequence models: Is my data in your machine translation system?
Black-box
Text Generation Models
TACL
Link
Link
2020
Segmentations-leak: Membership inference attacks and defenses in semantic image segmentation
Black-box
Image Segmentation Models
ECCV
Link
Link
2020
Performing co-membership attacks against deep generative models
White-box
Generative Models
ICDM
Link
2020
On the privacy risks of algorithmic fairness
Black-box
Classification Models
EuroS&P
Link
2020
A Comprehensive Analysis of Information Leakage in Deep Transfer Learning
Black-box
Classification Models
Arxiv
Link
2020
Gan enhanced membership inference: A passive local attack in federated learning
White-box
Classification Models
ICC
Link
2020
Privacy analysis of deep learning in the wild: Membership inference attacks against transfer learning
Black-box
Classification Models
Arxiv
Link
2020
Data and model dependencies of membership inference attack
Black-box
Classification Models
Arxiv
Link
2020
A Pragmatic Approach to Membership Inferences on Machine Learning Models
Black-box
Classification Models
EuroS&P
Link
2020
Quantifying Membership Inference Vulnerability via Generalization Gap and Other Model Metrics
Black-box
Classification Models
Arxiv
Link
2020
Investigating the Impact of Pre-trained Word Embeddings on Memorization in Neural Networks
Black-box
Word Embedding Models
TSD
Link
2020
Beyond Model-Level Membership Privacy Leakage: an Adversarial Approach in Federated Learning
White-box
Classification Models
ICCCN
Link
2020
Practical Membership Inference Attack Against Collaborative Inference in Industrial IoT
White-box
Classification Models
IEEE Trans. Industr. Inform.
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2019
Exploiting unintended feature leakage in collaborative learning
White-box
Classification Models
S&P
Link
Link
2019
Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning
Black-box; White-box
Classification Models
S&P
link
Link
2019
ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models
Black-box
Classification Models
NDSS
Link
Link
2019
LOGAN: Membership Inference Attacks Against Generative Models
Black-box; White-box
Generative Models
PoPETs
Link
Link
2019
White-box vs Black-box: Bayes Optimal Strategies for Membership Inference
Black-box
Classification Models
ICML
Link
2019
Auditing data provenance in text-generation models
Black-box
Text Generation Models
KDD
Link
Link
2019
Socinf: Membership inference attacks on social media health data with machine learning
Black-box
Classification Models
IEEE Trans. Comput. Soc. Syst.
Link
2019
Monte Carlo and Reconstruction Membership Inference Attacks against Generative Models.
White-box; Black-box
Generative Models
PoPETs
Link
Link
2019
Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning
Black-box
Classification Models
Arxiv
Link
2019
Demystifying the membership inference attack
Black-box
Classification Models
CMI
Link
2019
Differential Privacy Defenses and Sampling Attacks for Membership Inference
Black-box
Classification Models
NeurIPS Workshop
Link
2019
Privacy Risks of Securing Machine Learning Models against Adversarial Examples
Black-box
Classification Models
CCS
Link
Link
2019
Membership Inference Attacks against Adversarially Robust Deep Learning Models
Black-box
Classification Models
S&P Workshop
Link
2019
Demystifying Membership Inference Attacks in Machine Learning as a Service
Black-box
Classification Models
IEEE Trans. Serv. Comput.
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2018
Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting
Black-box
Classification Models
CSF
Link
Link
2018
Understanding membership inferences on well-generalized learning models
Black-box
Classification Models
Arxiv
link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2017
Membership inference attacks against machine learning models
Black-box
Classification Models
S&P
link
Link
Membership Inference Defense
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2022
Assessing Differentially Private Variational Autoencoders under Membership Inference
Black-box
Generative Models
Arxiv
Link
Link
2022
Membership Privacy Protection for Image Translation Models via Adversarial Knowledge Distillation
Black-box
Image Translation Models
Arxiv
Link
2022
MIAShield: Defending Membership Inference Attacks via Preemptive Exclusion of Members
Black-box
Classification Models
Arxiv
Link
2022
Privacy-preserving Generative Framework Against Membership Inference Attacks
White-box; Black-box
Classification Models
Arxiv
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2021
Enhanced Mixup Training: a Defense Method Against Membership Inference Attack
Black-box
Classification Models
ISPEC
Link
2021
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture
White-box; Black-box
Classification Models
Arxiv
Link
2021
On the privacy-utility trade-off in differentially private hierarchical text classification
White-box
Classification Models
Arxiv
Link
2021
MLCapsule: Guarded Offline Deployment of Machine Learning as a Service
Black-box
Classification Models
CVPR
Link
2021
Comparing Local and Central Differential Privacy Using Membership Inference Attacks
White-box
Classification Models
DBSec
Link
Link
2021
Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning
White-box
Classification Models
S&P
Link
2021
When Does Data Augmentation Help With Membership Inference Attacks?
Black-box
Classification Models
ICML
Link
Link
2021
Against Membership Inference Attack: Pruning is All You Need
Black-box
Classification Models
IJCAI
Link
2021
Membership Privacy for Machine Learning Models Through Knowledge Transfer
White-box; Black-box
Classification Models
AAAI
Link
2021
Quantifying Membership Privacy via Information Leakage
Black-box
Classification Models
IEEE Trans. Inf. Forensics Secur.
Link
2021
Membership Inference Attacks and Defenses in Classification Models
Black-box
Classification Models
CODASPY
Link
2021
Digestive Neural Networks: A Novel Defense Strategy Against Inference Attacks in Federated Learning
White-box
Classification Models
Computers & Security
Link
2021
Accuracy-Privacy Trade-off in Deep Ensemble: A Membership Inference Perspective
Black-box
Classification Models
ICLR
Link
Link
2021
Resisting Membership Inference Attacks through Knowledge Distillation
Black-box
Classification Models
Neurocomputing
Link
2021
privGAN: Protecting GANs from membership inference attacks at low cost to utility
White-box
Generative Models
PoPETs
Link
2021
Generating Private Data Surrogates for Vision Related Tasks
White-box
Generative Models
ICPR
Link
2021
Membership Inference Attack with Multi-Grade Service Models in Edge Intelligence
Black-box
Classification Models
IEEE Network
Link
2021
PAR-GAN: Improving the Generalization of Generative Adversarial Networks Against Membership Inference Attacks
White-box
Generative Models
KDD
Link
Link
2021
Defending Medical Image Diagnostics against Privacy Attacks using Generative Methods: Application to Retinal Diagnostics
Black-box
Classification Models
MICCAI Workshop
Link
2021
Defending Privacy Against More Knowledgeable Membership Inference Attackers
White-box; Black-box
Classification Models
KDD
Link
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2020
Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack
Black-box
Classification Models
Arxiv
Link
2020
Privacy for All: Demystify Vulnerability Disparity of Differential Privacy against Membership Inference Attack
Black-box
Classification Models
Arxiv
Link
2020
Differential Privacy Protection Against Membership Inference Attack on Machine Learning for Genomic Data
Black-box
Classification Models
Biocomputing
Link
2020
A Secure Federated Learning Framework for 5G Networks
White-box
Classification Models
IEEE Wireless Communications
Link
2020
Auditing Differentially Private Machine Learning: How Private is Private SGD?
Black-box
Classification Models
NeurIPS
Link
Link
2020
Toward Robustness and Privacy in Federated Learning: Experimenting with Local and Central Differential Privacy
White-box
Classification Models
Arxiv
Link
2020
Defending Model Inversion and Membership Inference Attacks via Prediction Purification
Black-box
Classification
Arxiv
Link
2020
Alleviating Privacy Attacks via Causal Learning
Black-box
Classification Models
ICML
Link
Link
2020
On the Effectiveness of Regularization Against Membership Inference Attacks
Black-box
Classification Models
Arxiv
Link
2020
Characterizing Membership Privacy in Stochastic Gradient Langevin Dynamics
Black-box
Classification Models
AAAI
Link
2020
Differentially Private Learning Does Not Bound Membership Inference
Black-box
Classification Models
Arxiv
Link
2020
Privacy-Preserving in Defending against Membership Inference Attacks
Black-box
Classification Models
PPMLP
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2019
Evaluating Differentially Private Machine Learning in Practice
Black-box
Classification Models
USENIX Security
Link
Link
2019
MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples
Black-box
Classification Models
CCS
Link
Link
2019
Generalization in Generative Adversarial Networks: A Novel Perspective from Privacy Protection
White-box; Black-box
Generative Models
NeurIPS
Link
2019
Cronus: Robust and Heterogeneous Collaborative Learning with Black-Box Knowledge Transfer
Black-box
Classification Models
Arxiv
Link
2019
ML Defense: Against Prediction API Threats in Cloud-Based Machine Learning Service
Black-box
Classification Models
IWQoS
Link
2019
Effects of Differential Privacy and Data Skewness on Membership Inference Vulnerability
Black-box
Classification Models
TPS-ISA
Link
2019
Generating Artificial Data for Private Deep Learning
Black-box
Generative Models
PAL
Link
Year
Title
Adversarial Knowledge
Target Model
Venue
Paper Link
Code Link
2018
Machine Learning with Membership Privacy using Adversarial Regularization
Black-box
Classification Models
CCS
Link
Link
2018
Privacy-preserving Machine Learning through Data Obfuscation
Black-box
Classification Models
Arxiv
Link
2018
Differentially Private Data Generative Models
Black-box
Classification Models
Arxiv
Link
2018
Membership Inference Attack against Differentially Private Deep Learning Model
Black-box
Classification Models
Transactions on Data Privacy
Link