Black-box membership inference attacks based on shadow model

作     者：Han Zhen Zhou Wen'an Han Xiaoxuan Wu Jie Han Zhen;Zhou Wen'an;Han Xiaoxuan;Wu Jie

作者机构：School of Computer ScienceBeijing University of Posts and TelecommunicationsBeijing 100876China 

出 版 物：《The Journal of China Universities of Posts and Telecommunications》 (中国邮电高校学报（英文版）)

年 卷 期：2024年第31卷第4期

页      面：1-16页

核心收录：

学科分类：12[管理学] 1201[管理学-管理科学与工程(可授管理学、工学学位)] 081104[工学-模式识别与智能系统] 0839[工学-网络空间安全] 08[工学] 0835[工学-软件工程] 081201[工学-计算机系统结构] 0811[工学-控制科学与工程] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

主　　题：machine learning membership inference attack shadow model black-box model 

摘      要：Membership inference attacks on machine learning models have drawn significant *** current research primarily utilizes shadow modeling techniques,which require knowledge of the target model and training data,practical scenarios involve black-box access to the target model with no available *** training data further complicate the implementation of these *** this paper,we experimentally compare common data enhancement schemes and propose a data synthesis framework based on the variational autoencoder generative adversarial network(VAE-GAN)to extend the training data for shadow ***,this paper proposes a shadow model training algorithm based on adversarial training to improve the shadow model s ability to mimic the predicted behavior of the target model when the target model s information is *** conducting attack experiments on different models under the black-box access setting,this paper verifies the effectiveness of the VAE-GAN-based data synthesis framework for improving the accuracy of membership inference ***,we verify that the shadow model,trained by using the adversarial training approach,effectively improves the degree of mimicking the predicted behavior of the target *** with existing research methods,the method proposed in this paper achieves a 2%improvement in attack accuracy and delivers better attack performance.