Machine Learning as a Service (MLaaS) has significantly advanced data-driven decision-making and the development of intelligent applications. However, the privacy risks posed by membership inference attacks (MIAs) remain a critical concern. MIAs are primarily classified into score-based and perturbation-based attacks. The former relies on shadow data and models, which are difficult to obtain in practical applications, while the latter depends solely on perturbation distance, resulting in insufficient identification performance. To this end, we propose a Spatial Projection-based Relative Information Loss (SPRIL) MIA to ascertain the sample membership by flexibly controlling the size of perturbations in the noise space and integrating relative information loss. Firstly, we analyze the alterations in predicted probability distributions induced by adversarial perturbations and leverage these changes as pivotal features for membership identification. Secondly, we introduce a spatial projection technique that flexibly modulates the perturbation amplitude to accentuate the difference in probability distributions between member and non-member data. Thirdly, this quantifies the distribution difference by calculating relative information loss based on KL divergence to identify membership. SPRIL provides a solid method to assess the potential risks of DNN models in MLaaS and demonstrates its efficacy and precision in black-box and white-box settings. Finally, experimental results demonstrate the effectiveness of SPRIL across various datasets and model architectures. Notably, on the CIFAR-100 dataset, SPRIL achieves the highest attack accuracy and AUC, reaching 99.27% and 99.73%, respectively.
Read full abstract7-days of FREE Audio papers, translation & more with Prime
7-days of FREE Prime access