{"id":"https://openalex.org/W3081096564","doi":"https://doi.org/10.1145/3422337.3447836","title":"Membership Inference Attacks and Defenses in Classification Models","display_name":"Membership Inference Attacks and Defenses in Classification Models","publication_year":2021,"publication_date":"2021-04-10","ids":{"openalex":"https://openalex.org/W3081096564","doi":"https://doi.org/10.1145/3422337.3447836","mag":"3081096564"},"language":"en","primary_location":{"id":"doi:10.1145/3422337.3447836","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3422337.3447836","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3422337.3447836","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3422337.3447836","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Jiacheng Li","orcid":null},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Jiacheng Li","raw_affiliation_strings":["Purdue University, West Lafayette, IN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University, West Lafayette, IN, USA","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Ninghui Li","orcid":null},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ninghui Li","raw_affiliation_strings":["Purdue University, West Lafayette, IN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University, West Lafayette, IN, USA","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"last","author":{"id":null,"display_name":"Bruno Ribeiro","orcid":null},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Bruno Ribeiro","raw_affiliation_strings":["Purdue University, West Lafayette, IN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University, West Lafayette, IN, USA","institution_ids":["https://openalex.org/I219193219"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I219193219"],"apc_list":null,"apc_paid":null,"fwci":6.297,"has_fulltext":true,"cited_by_count":61,"citation_normalized_percentile":{"value":0.9697065,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":97,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"5","last_page":"16"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10764","display_name":"Privacy-Preserving Technologies in Data","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.9804999828338623,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/softmax-function","display_name":"Softmax function","score":0.8245000243186951},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.6599000096321106},{"id":"https://openalex.org/keywords/generalization","display_name":"Generalization","score":0.6229000091552734},{"id":"https://openalex.org/keywords/training-set","display_name":"Training set","score":0.5342000126838684},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.5271000266075134},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4787999987602234},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4693000018596649}],"concepts":[{"id":"https://openalex.org/C188441871","wikidata":"https://www.wikidata.org/wiki/Q7554146","display_name":"Softmax function","level":3,"score":0.8245000243186951},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.6599000096321106},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6503999829292297},{"id":"https://openalex.org/C177148314","wikidata":"https://www.wikidata.org/wiki/Q170084","display_name":"Generalization","level":2,"score":0.6229000091552734},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6080999970436096},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5996999740600586},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.5342000126838684},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.5271000266075134},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4787999987602234},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4693000018596649},{"id":"https://openalex.org/C2777211547","wikidata":"https://www.wikidata.org/wiki/Q17141490","display_name":"Training (meteorology)","level":2,"score":0.4133000075817108},{"id":"https://openalex.org/C169903167","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Test set","level":2,"score":0.35839998722076416},{"id":"https://openalex.org/C2780586882","wikidata":"https://www.wikidata.org/wiki/Q7520643","display_name":"Simple (philosophy)","level":2,"score":0.3476000130176544},{"id":"https://openalex.org/C16910744","wikidata":"https://www.wikidata.org/wiki/Q7705759","display_name":"Test data","level":2,"score":0.3382999897003174},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3375000059604645},{"id":"https://openalex.org/C2777267654","wikidata":"https://www.wikidata.org/wiki/Q3519023","display_name":"Test (biology)","level":2,"score":0.3352000117301941},{"id":"https://openalex.org/C58489278","wikidata":"https://www.wikidata.org/wiki/Q1172284","display_name":"Data set","level":2,"score":0.3278999924659729},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.32019999623298645},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.27469998598098755}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3422337.3447836","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3422337.3447836","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3422337.3447836","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2002.12062","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2002.12062","pdf_url":"https://arxiv.org/pdf/2002.12062","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3422337.3447836","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3422337.3447836","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3422337.3447836","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G3994529929","display_name":null,"funder_award_id":"1931443","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W3081096564.pdf","grobid_xml":"https://content.openalex.org/works/W3081096564.grobid-xml"},"referenced_works_count":12,"referenced_works":["https://openalex.org/W2019735187","https://openalex.org/W2164943005","https://openalex.org/W2473418344","https://openalex.org/W2532520288","https://openalex.org/W2535690855","https://openalex.org/W2795435272","https://openalex.org/W2884943453","https://openalex.org/W2887995258","https://openalex.org/W2911978475","https://openalex.org/W2930926105","https://openalex.org/W2983140679","https://openalex.org/W6688325169"],"related_works":[],"abstract_inverted_index":{"We":[0,62],"study":[1],"the":[2,10,24,52,74,79,84,90,103,108,114],"membership":[3],"inference":[4],"(MI)":[5],"attack":[6],"against":[7,67,137],"classifiers,":[8],"where":[9],"attacker's":[11],"goal":[12],"is":[13,48],"to":[14,45,51,72,88],"determine":[15],"whether":[16],"a":[17,42,65,98],"data":[18],"instance":[19],"was":[20],"used":[21],"for":[22],"training":[23,57,80,85,91,115],"classifier.":[25],"Through":[26],"systematic":[27],"cataloging":[28],"of":[29,37,97,113],"existing":[30],"MI":[31,46,68,138],"attacks":[32,47,69],"and":[33,59,92,116],"extensive":[34],"experimental":[35,120],"evaluations":[36],"them,":[38],"we":[39],"find":[40],"that":[41,70,123],"model's":[43],"vulnerability":[44],"tightly":[49],"related":[50],"generalization":[53],"gap---the":[54],"difference":[55],"between":[56,107],"accuracy":[58],"test":[60],"accuracy.":[61,81,145],"then":[63],"propose":[64],"defense":[66,130,136],"aims":[71],"close":[73],"gap":[75],"by":[76,95],"intentionally":[77],"reduces":[78],"More":[82],"specifically,":[83],"process":[86],"attempts":[87],"match":[89],"validation":[93,117],"accuracies,":[94],"means":[96],"new":[99],"set":[100],"regularizer":[101],"using":[102],"Maximum":[104],"Mean":[105],"Discrepancy":[106],"softmax":[109],"output":[110],"empirical":[111],"distributions":[112],"sets.":[118],"Our":[119],"results":[121],"show":[122],"combining":[124],"this":[125],"approach":[126],"with":[127,140],"another":[128],"simple":[129],"(mix-up":[131],"training)":[132],"significantly":[133],"improves":[134],"state-of-the-art":[135],"attacks,":[139],"minimal":[141],"impact":[142],"on":[143],"testing":[144]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":14},{"year":2024,"cited_by_count":11},{"year":2023,"cited_by_count":24},{"year":2022,"cited_by_count":5},{"year":2021,"cited_by_count":5}],"updated_date":"2026-05-12T08:28:47.272897","created_date":"2020-09-01T00:00:00"}